<!DOCTYPE html>
<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js" lang="en-US">
<!--<![endif]-->
<head>
	
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="profile" href="http://gmpg.org/xfn/11">

				<meta name="awa-pageType" content="Post">
						<meta name="awa-market" content="en-us">
						<meta name="awa-env" content="Production">
						<meta name="awa‐asst" content="92422">
			
	<!-- This site is optimized with the Yoast SEO plugin v14.9 - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security</title>
	<meta name="robots" content="index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1" />
	<link rel="canonical" href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security" />
	<meta property="og:description" content="We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and protections we have built in as a result. While the full extent of&hellip;" />
	<meta property="og:url" content="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" />
	<meta property="og:site_name" content="Microsoft Security" />
	<meta property="article:published_time" content="2020-12-18T22:15:14+00:00" />
	<meta property="article:modified_time" content="2020-12-19T22:09:44+00:00" />
	<meta property="og:image" content="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Solorigate-social-5.png" />
	<meta property="og:image:width" content="1986" />
	<meta property="og:image:height" content="994" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:image" content="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Solorigate-social-5.png" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.microsoft.com/security/blog/#website","url":"https://www.microsoft.com/security/blog/","name":"Microsoft Security","description":"Expert coverage of cybersecurity topics","potentialAction":[{"@type":"SearchAction","target":"https://www.microsoft.com/security/blog/?s={search_term_string}","query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/#primaryimage","inLanguage":"en-US","url":"https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/MicrosoftTeams-image-3.jpg","width":1474,"height":768},{"@type":"WebPage","@id":"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/#webpage","url":"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/","name":"Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security","isPartOf":{"@id":"https://www.microsoft.com/security/blog/#website"},"primaryImageOfPage":{"@id":"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/#primaryimage"},"datePublished":"2020-12-18T22:15:14+00:00","dateModified":"2020-12-19T22:09:44+00:00","author":{"@id":"https://www.microsoft.com/security/blog/#/schema/person/9532bd6c36a788d329668ac0d30ce822"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/"]}]},{"@type":"Person","@id":"https://www.microsoft.com/security/blog/#/schema/person/9532bd6c36a788d329668ac0d30ce822","name":"Eric Avena","image":{"@type":"ImageObject","@id":"https://www.microsoft.com/security/blog/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/94066b9416ceb3f43de47b663362e335?s=96&d=mm&r=g","caption":"Eric Avena"}}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//wcpstatic.microsoft.com' />
<link rel='dns-prefetch' href='//az725175.vo.msecnd.net' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel="alternate" type="application/rss+xml" title="Microsoft Security &raquo; Feed" href="https://www.microsoft.com/security/blog/feed/" />
<link rel="alternate" type="application/rss+xml" title="Microsoft Security &raquo; Comments Feed" href="https://www.microsoft.com/security/blog/comments/feed/" />
		<script type="text/javascript">
			window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/12.0.0-1\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/www.microsoft.com\/security\/blog\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.4.2"}};
			/*! This file is auto-generated */
			!function(e,a,t){var r,n,o,i,p=a.createElement("canvas"),s=p.getContext&&p.getContext("2d");function c(e,t){var a=String.fromCharCode;s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,e),0,0);var r=p.toDataURL();return s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,t),0,0),r===p.toDataURL()}function l(e){if(!s||!s.fillText)return!1;switch(s.textBaseline="top",s.font="600 32px Arial",e){case"flag":return!c([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])&&(!c([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!c([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]));case"emoji":return!c([55357,56424,55356,57342,8205,55358,56605,8205,55357,56424,55356,57340],[55357,56424,55356,57342,8203,55358,56605,8203,55357,56424,55356,57340])}return!1}function d(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(i=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},o=0;o<i.length;o++)t.supports[i[o]]=l(i[o]),t.supports.everything=t.supports.everything&&t.supports[i[o]],"flag"!==i[o]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[i[o]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(r=t.source||{}).concatemoji?d(r.concatemoji):r.wpemoji&&r.twemoji&&(d(r.twemoji),d(r.wpemoji)))}(window,document,window._wpemojiSettings);
		</script>
		<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 .07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://www.microsoft.com/security/blog/wp-includes/css/dist/block-library/style.min.css?ver=5.4.2' type='text/css' media='all' />
<style id='oneplayer_embed_css-inline-css' type='text/css'>
.fluid-iframe {
	height: 0;
	margin-top: 30px;
	min-width: 320px;
	overflow: hidden;
	padding-bottom: 56.25%;
	position: relative;
}
.fluid-iframe iframe {
	border: none;
	height: 100%;
	left: 0;
	position: absolute;
	top: 0;
	width: 100%;
}
.fluid-iframe.override {
	max-width: 100%;
	min-width: 320px;
	padding-bottom: inherit;
}
@media only screen and (max-width: 1083px) and (min-width: 374px) {
	.fluid-iframe.override {
		margin: 0 auto;
	}
}

@media only screen and (max-width: 373px) {
	.fluid-iframe {
		margin-left: -26px;
		margin-right: -26px;
	}
}
</style>
<link rel='stylesheet' id='wds-ms-inline-interruption-styles-officeblogs-css'  href='https://www.microsoft.com/security/blog/wp-content/plugins/wds-ms-inline-interruption-styles-officeblogs/css/styles.css?ver=1608574834' type='text/css' media='all' />
<link rel='stylesheet' id='uhf-search-ui-css'  href='https://www.microsoft.com/security/blog/wp-content/plugins/wds-ms-searchwp/features/uhf-search-ui/uhf-search-ui.css?ver=1.0.1' type='text/css' media='all' />
<link rel='stylesheet' id='mwf-style-css'  href='//assets.onestore.ms/cdnfiles/external/mwf/short/v1/latest/css/mwf-west-european-default.min.css?ver=5.4.2' type='text/css' media='all' />
<link rel='stylesheet' id='microsoft-style-css'  href='https://www.microsoft.com/security/blog/wp-content/themes/ms_s/style.css?ver=1.0.0' type='text/css' media='all' />
<link rel='stylesheet' id='microsoft-child-style-css'  href='https://www.microsoft.com/security/blog/wp-content/themes/ms-security/style.min.css?ver=2.4.2' type='text/css' media='all' />
<script type='text/javascript' src='https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1'></script>
<script type='text/javascript' src='//assets.onestore.ms/cdnfiles/external/mwf/short/v1/latest/scripts/mwf-main.var.min.js?ver=v1.23.2+5182151'></script>
<script type='text/javascript' src='https://az725175.vo.msecnd.net/scripts/jsll-4.js'></script>
<link rel='https://api.w.org/' href='https://www.microsoft.com/security/blog/wp-json/' />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.microsoft.com/security/blog/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://www.microsoft.com/security/blog/wp-includes/wlwmanifest.xml" /> 
<link rel='shortlink' href='https://www.microsoft.com/security/blog/?p=92422' />
<link rel="alternate" type="application/json+oembed" href="https://www.microsoft.com/security/blog/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F12%2F18%2Fanalyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.microsoft.com/security/blog/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F12%2F18%2Fanalyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect%2F&#038;format=xml" />
<!-- Stream WordPress user activity plugin v3.5.1 -->
<style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style>
	<!-- LinkedIn Code -->
	<script type="text/javascript">
		var _linkedin_data_partner_id = "7850";
		function linkedinTracking(){
			var s = document.getElementsByTagName("script")[0];
			var b = document.createElement("script");
			b.type = "text/javascript";b.async = true;
			b.src = "https://snap.licdn.com/li.lms-analytics/insight.min.js";
			s.parentNode.insertBefore(b, s);
		}
	</script>
	<!-- End LinkedIn Code -->

	
	<!-- GDC Code -->
	<script>
		function gdcTracking() {
			var s = document.createElement( 'script' );
			var src = "//query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE1r2ij";
			s.setAttribute( 'src', src );
			document.head.appendChild( s );
		}
	</script>
	<!-- End GDC Code -->

		<!-- JSLL tracking -->
	<script>
		var config = {
			coreData: {"pageName":"Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers","pageType":"Post","appId":"JS:securityBlog"}		};

		
		if ( typeof awa !== 'undefined' ) {
			awa.init( config );
		}
	</script>
	<link rel="stylesheet" href="https://www.microsoft.com/onerfstatics/marketingsites-eus-prod/west-european/shell/_scrf/css/themes=default.device=uplevel_web_pc/3e-901128/3f-788d92/2a-4a3005/10-37b382/d8-118353/df-e480da/41-c6f216/81-aa1473?ver=2.0" type="text/css" media="all" /><link rel='stylesheet' href='https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css?c=7' type='text/css' />	<link rel="pingback" href="">

	<style>
	#ms-cookie-banner p {
		padding-top: 0;
	}
	</style>
</head>

<body class="post-template-default single single-post postid-92422 single-format-standard microsoft-uhf no-featured-image group-blog no-js not-ready document-locale-en_US">
<div id="ms-cookie-banner"></div><div id="page" class="site">
	<a class="m-skip-to-main" href="#mainContent" tabindex="0">Skip to main content</a>

	<!-- start universal header -->
			<div id="headerArea" class="uhf"  data-m='{"cN":"headerArea","cT":"Area_coreuiArea","id":"a1Body","sN":1,"aN":"Body"}'>
                <div id="headerRegion"     data-region-key="headerregion" data-m='{"cN":"headerRegion","cT":"Region_coreui-region","id":"r1a1","sN":1,"aN":"a1"}' >

    <div  id="headerUniversalHeader" data-m='{"cN":"headerUniversalHeader","cT":"Module_coreui-universalheader","id":"m1r1a1","sN":1,"aN":"r1a1"}'  data-module-id="Category|headerRegion|coreui-region|headerUniversalHeader|coreui-universalheader">
        

                        <div id="epb" class="x-hidden x-hidden-vp-mobile-st uhfc-universal-context context-uhf" data-m='{"cN":"epb_cont","cT":"Container","id":"c1m1r1a1","sN":1,"aN":"m1r1a1"}'>

	<div class="c-uhfh-alert f-information epb-container theme-light" role="dialog" aria-label="banner" data-m='{"cT":"Container","id":"c1c1m1r1a1","sN":1,"aN":"c1m1r1a1"}' data-pb="[{&quot;Browser&quot;:&quot;anaheim&quot;,&quot;ExtensionType&quot;:&quot;windows10only&quot;,&quot;ExtensionUrl&quot;:&quot;https://go.microsoft.com/fwlink/?linkid=2128969&amp;pc=W037&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-black&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xNzD?ver=aee5&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=77c4&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-light-blue&quot;,&quot;Title&quot;:&quot;Explore the world from your desktop—one photo at a time. Get the Bing Wallpaper app today.&quot;,&quot;Paragraph&quot;:&quot;Bring your desktop to life with daily backgrounds when you get Bing Wallpaper&quot;,&quot;ActionLinkText&quot;:&quot;Get it now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Get it now&quot;,&quot;DismissText&quot;:&quot;No thanks&quot;,&quot;DismissAriaLabel&quot;:&quot;No thanks&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;},{&quot;Browser&quot;:&quot;edge&quot;,&quot;ExtensionType&quot;:&quot;windows10only&quot;,&quot;ExtensionUrl&quot;:&quot;https://aka.ms/MicrosoftEdgeDownload&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-black&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-light-blue&quot;,&quot;Title&quot;:&quot;The new browser recommended by Microsoft is here&quot;,&quot;Paragraph&quot;:&quot;Get speed, security and privacy with the new Microsoft Edge&quot;,&quot;ActionLinkText&quot;:&quot;Download now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Download now&quot;,&quot;DismissText&quot;:&quot;No thanks&quot;,&quot;DismissAriaLabel&quot;:&quot;No thanks&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;},{&quot;Browser&quot;:&quot;non-anaheim&quot;,&quot;ExtensionType&quot;:&quot;windows10only&quot;,&quot;ExtensionUrl&quot;:&quot;https://microsoftedgewelcome.microsoft.com/launch?url=https%3A%2F%2Faka.ms%2FUHFOandO&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-black&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-light-blue&quot;,&quot;Title&quot;:&quot;The new browser recommended by Microsoft is here&quot;,&quot;Paragraph&quot;:&quot;Get speed, security and privacy with the new Microsoft Edge&quot;,&quot;ActionLinkText&quot;:&quot;Switch now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Switch now&quot;,&quot;DismissText&quot;:&quot;No thanks&quot;,&quot;DismissAriaLabel&quot;:&quot;No thanks&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;},{&quot;Browser&quot;:&quot;chrome&quot;,&quot;ExtensionType&quot;:&quot;news&quot;,&quot;ExtensionUrl&quot;:&quot;https://browserdefaults.microsoft.com/extn/redirect/?xid=10&amp;br=gc&amp;channel=uhf&amp;pc=U556&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-black&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4myc9?ver=c8c3&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4myc9?ver=c8c3&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-red&quot;,&quot;Title&quot;:&quot;Breaking news from around the world&quot;,&quot;Paragraph&quot;:&quot;Get the Microsoft News extension for Chrome&quot;,&quot;ActionLinkText&quot;:&quot;Add it now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Add it now&quot;,&quot;DismissText&quot;:&quot;No thanks&quot;,&quot;DismissAriaLabel&quot;:&quot;No thanks&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;},{&quot;Browser&quot;:&quot;firefox&quot;,&quot;ExtensionType&quot;:&quot;rewards&quot;,&quot;ExtensionUrl&quot;:&quot;https://browserdefaults.microsoft.com/extn/redirect/?xid=6&amp;br=mf&amp;channel=uhf&amp;pc=U564&quot;,&quot;BackgroundColorDarkTheme&quot;:&quot;b-blue&quot;,&quot;LogoUrlDarkTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4mFZT?ver=7321&quot;,&quot;ActionLinkBackgroundColorDarkTheme&quot;:&quot;btn-white&quot;,&quot;BackgroundColorLightTheme&quot;:&quot;b-white&quot;,&quot;LogoUrlLightTheme&quot;:&quot;https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4mDoE?ver=3feb&quot;,&quot;ActionLinkBackgroundColorLightTheme&quot;:&quot;btn-blue&quot;,&quot;Title&quot;:&quot;Maximize your points with the Microsoft Rewards extension&quot;,&quot;Paragraph&quot;:&quot;Quick access to your daily points and offers&quot;,&quot;ActionLinkText&quot;:&quot;Add it now&quot;,&quot;ActionLinkAriaLabel&quot;:&quot;Add it now&quot;,&quot;DismissText&quot;:&quot;No thanks&quot;,&quot;DismissAriaLabel&quot;:&quot;No thanks&quot;,&quot;CookieExpiration&quot;:&quot;30&quot;,&quot;CurrentTheme&quot;:&quot;theme-light&quot;}]" data-pb-g="true">
		<div>
			<div class="c-paragraph">
				<img alt="" data-src="" src="" class="f-img-lzy" />
				<span class="c-text-group pb-content">
					<span class="epb-launch pb-content-heading"></span>
					<span class="epb-text pb-content-text"></span>
				</span>
			</div>
			<span class="c-group">
				<button id="close-epb" class="c-action-trigger c-action-cancel glyph-cancel" data-m='{"cN":"PB-dismiss_nonnav","id":"nn1c1c1m1r1a1","sN":1,"aN":"c1c1m1r1a1"}'></button>
				<a id="epbTryNow" href="" target="_blank" class="epb-launch c-action-trigger c-action-open" data-m='{"cN":"PB-launch_nav","id":"n2c1c1m1r1a1","sN":2,"aN":"c1c1m1r1a1"}'></a>
			</span>
		</div>
	</div>





                            
                        </div>




        <a id="uhfSkipToMain" class="m-skip-to-main" href="javascript:void(0)" data-href="#mainContent" tabindex="0" data-m='{"cN":"Skip to content_nonnav","id":"nn2c1m1r1a1","sN":2,"aN":"c1m1r1a1"}'>Skip to main content</a>


<header class="c-uhfh context-uhf no-js c-sgl-stck c-category-header " itemscope="itemscope" data-header-footprint="/MSSecurity/MSSecurityHeader, fromService: True"   data-magict="true"  itemtype="http://schema.org/Organization">
    <div class="theme-light js-global-head f-closed  global-head-cont" data-m='{"cN":"Universal Header_cont","cT":"Container","id":"c3c1m1r1a1","sN":3,"aN":"c1m1r1a1"}'>
        <div class="c-uhfh-gcontainer-st">
            <button type="button" class="c-action-trigger c-glyph glyph-global-nav-button" aria-label="All Microsoft expand to see list of Microsoft products and services" initialState-label="All Microsoft expand to see list of Microsoft products and services" toggleState-label="Close All Microsoft list" aria-expanded="false" data-m='{"cN":"Mobile menu button_nonnav","id":"nn1c3c1m1r1a1","sN":1,"aN":"c3c1m1r1a1"}'></button>
            <button type="button" class="c-action-trigger c-glyph glyph-arrow-htmllegacy" aria-label="Close search" aria-expanded="false" data-m='{"cN":"Close Search_nonnav","id":"nn2c3c1m1r1a1","sN":2,"aN":"c3c1m1r1a1"}'></button>
                    <a id="uhfLogo" class="c-logo c-sgl-stk-uhfLogo" itemprop="url" href="https://www.microsoft.com" aria-label="Microsoft" data-m='{"cN":"GlobalNav_Logo_cont","cT":"Container","id":"c3c3c1m1r1a1","sN":3,"aN":"c3c1m1r1a1"}'>
                        <img alt="" itemprop="logo" itemscope="itemscope" class="c-image" src="https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31" role="presentation" aria-hidden="true" />
                        <span role="presentation" aria-hidden="true">Microsoft</span>
                    </a>
            <div class="f-mobile-title">
                <button type="button" class="c-action-trigger c-glyph glyph-chevron-left" aria-label="See more menu options" data-m='{"cN":"Mobile back button_nonnav","id":"nn4c3c1m1r1a1","sN":4,"aN":"c3c1m1r1a1"}'></button>
                <span data-global-title="Microsoft home" class="js-mobile-title">Security</span>
                <button type="button" class="c-action-trigger c-glyph glyph-chevron-right" aria-label="See more menu options" data-m='{"cN":"Mobile forward button_nonnav","id":"nn5c3c1m1r1a1","sN":5,"aN":"c3c1m1r1a1"}'></button>
            </div>
                    <div class="c-show-pipe x-hidden-vp-mobile-st">
                        <a id="uhfCatLogo" class="c-logo c-cat-logo" href="https://www.microsoft.com/en-us/security" aria-label="Security" itemprop="url" data-m='{"cN":"CatNav_Security_nav","id":"n6c3c1m1r1a1","sN":6,"aN":"c3c1m1r1a1"}'>
                                <span>Security</span>
                        </a>
                    </div>
                <div class="cat-logo-button-cont x-hidden">
                        <button type="button" id="uhfCatLogoButton" class="c-cat-logo-button x-hidden" aria-expanded="false" aria-label="Security" data-m='{"cN":"Security_nonnav","id":"nn7c3c1m1r1a1","sN":7,"aN":"c3c1m1r1a1"}'>
                            Security
                        </button>
                </div>



                    <nav id="uhf-g-nav" aria-label="Contextual menu" class="c-uhfh-gnav" data-m='{"cN":"Category nav_cont","cT":"Container","id":"c8c3c1m1r1a1","sN":8,"aN":"c3c1m1r1a1"}'>
            <ul class="js-paddle-items">
                    <li class="single-link js-nav-menu x-hidden-none-mobile-vp uhf-menu-item">
                        <a class="c-uhf-nav-link" href="https://www.microsoft.com/en-us/security" data-m='{"cN":"CatNav_Home_nav","id":"n1c8c3c1m1r1a1","sN":1,"aN":"c8c3c1m1r1a1"}' > Home </a>
                    </li>
                                        <li class="nested-menu uhf-menu-item">
                            <div class="c-uhf-menu js-nav-menu">
                                <button type="button" id="c-shellmenu_47"  aria-expanded="false" data-m='{"id":"nn2c8c3c1m1r1a1","sN":2,"aN":"c8c3c1m1r1a1"}'>Solutions</button>

                                <ul class="" data-class-idn="" aria-hidden="true" data-m='{"cT":"Container","id":"c3c8c3c1m1r1a1","sN":3,"aN":"c8c3c1m1r1a1"}'>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c1c3c8c3c1m1r1a1","sN":1,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_48" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/solutions" data-m='{"id":"n1c1c3c8c3c1m1r1a1","sN":1,"aN":"c1c3c8c3c1m1r1a1"}'>Solutions overview </a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c3c8c3c1m1r1a1","sN":2,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_49" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/secure-remote-work" data-m='{"id":"n1c2c3c8c3c1m1r1a1","sN":1,"aN":"c2c3c8c3c1m1r1a1"}'>Secure remote work</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c3c8c3c1m1r1a1","sN":3,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_50" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/zero-trust" data-m='{"id":"n1c3c3c8c3c1m1r1a1","sN":1,"aN":"c3c3c8c3c1m1r1a1"}'>Zero Trust</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c3c8c3c1m1r1a1","sN":4,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_51" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/identity" data-m='{"id":"n1c4c3c8c3c1m1r1a1","sN":1,"aN":"c4c3c8c3c1m1r1a1"}'>Identity &amp; access management</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c3c8c3c1m1r1a1","sN":5,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_52" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection" data-m='{"id":"n1c5c3c8c3c1m1r1a1","sN":1,"aN":"c5c3c8c3c1m1r1a1"}'>Threat protection</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c6c3c8c3c1m1r1a1","sN":6,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_53" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/information-protection" data-m='{"id":"n1c6c3c8c3c1m1r1a1","sN":1,"aN":"c6c3c8c3c1m1r1a1"}'>Information protection</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c7c3c8c3c1m1r1a1","sN":7,"aN":"c3c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_54" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/cloud-security" data-m='{"id":"n1c7c3c8c3c1m1r1a1","sN":1,"aN":"c7c3c8c3c1m1r1a1"}'>Cloud security</a>
            
        </li>
                                                    
                                </ul>
                            </div>
                        </li>                        <li class="nested-menu uhf-menu-item">
                            <div class="c-uhf-menu js-nav-menu">
                                <button type="button" id="c-shellmenu_55"  aria-expanded="false" data-m='{"id":"nn4c8c3c1m1r1a1","sN":4,"aN":"c8c3c1m1r1a1"}'>Products</button>

                                <ul class="" data-class-idn="" aria-hidden="true" data-m='{"cT":"Container","id":"c5c8c3c1m1r1a1","sN":5,"aN":"c8c3c1m1r1a1"}'>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c1c5c8c3c1m1r1a1","sN":1,"aN":"c5c8c3c1m1r1a1"}'>

            <button type="button"   aria-expanded="false" data-m='{"id":"nn1c1c5c8c3c1m1r1a1","sN":1,"aN":"c1c5c8c3c1m1r1a1"}'>App and email security</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c1c5c8c3c1m1r1a1","sN":2,"aN":"c1c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_57" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/security/office-365-defender" data-m='{"id":"n1c2c1c5c8c3c1m1r1a1","sN":1,"aN":"c2c1c5c8c3c1m1r1a1"}'>Microsoft Defender for Office 365</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c1c5c8c3c1m1r1a1","sN":3,"aN":"c1c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_58" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security" data-m='{"id":"n1c3c1c5c8c3c1m1r1a1","sN":1,"aN":"c3c1c5c8c3c1m1r1a1"}'>Microsoft Cloud App Security</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c1c5c8c3c1m1r1a1","sN":4,"aN":"c1c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_59" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/key-vault/" data-m='{"id":"n1c4c1c5c8c3c1m1r1a1","sN":1,"aN":"c4c1c5c8c3c1m1r1a1"}'>Azure Key Vault</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c1c5c8c3c1m1r1a1","sN":5,"aN":"c1c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_60" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/azure-dedicated-hsm/" data-m='{"id":"n1c5c1c5c8c3c1m1r1a1","sN":1,"aN":"c5c1c5c8c3c1m1r1a1"}'>Azure Dedicated HSM</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c2c5c8c3c1m1r1a1","sN":2,"aN":"c5c8c3c1m1r1a1"}'>

            <button type="button"   aria-expanded="false" data-m='{"id":"nn1c2c5c8c3c1m1r1a1","sN":1,"aN":"c2c5c8c3c1m1r1a1"}'>Compliance</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c2c5c8c3c1m1r1a1","sN":2,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_62" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/business/compliance-insider-risk-management" data-m='{"id":"n1c2c2c5c8c3c1m1r1a1","sN":1,"aN":"c2c2c5c8c3c1m1r1a1"}'>Insider risk management</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c2c5c8c3c1m1r1a1","sN":3,"aN":"c2c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_63" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/business/data-protection" data-m='{"id":"n1c3c2c5c8c3c1m1r1a1","sN":1,"aN":"c3c2c5c8c3c1m1r1a1"}'>Information protection and governance</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c3c5c8c3c1m1r1a1","sN":3,"aN":"c5c8c3c1m1r1a1"}'>

            <button type="button"   aria-expanded="false" data-m='{"id":"nn1c3c5c8c3c1m1r1a1","sN":1,"aN":"c3c5c8c3c1m1r1a1"}'>Endpoint security</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c3c5c8c3c1m1r1a1","sN":2,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_65" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender" data-m='{"id":"n1c2c3c5c8c3c1m1r1a1","sN":1,"aN":"c2c3c5c8c3c1m1r1a1"}'>Microsoft Defender for Endpoint</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c3c5c8c3c1m1r1a1","sN":3,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_66" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/microsoft-endpoint-manager" data-m='{"id":"n1c3c3c5c8c3c1m1r1a1","sN":1,"aN":"c3c3c5c8c3c1m1r1a1"}'>Microsoft Endpoint Manager</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c3c5c8c3c1m1r1a1","sN":4,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_67" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/iot-central/" data-m='{"id":"n1c4c3c5c8c3c1m1r1a1","sN":1,"aN":"c4c3c5c8c3c1m1r1a1"}'>Azure IoT Central</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c3c5c8c3c1m1r1a1","sN":5,"aN":"c3c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_68" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/azure-sphere/" data-m='{"id":"n1c5c3c5c8c3c1m1r1a1","sN":1,"aN":"c5c3c5c8c3c1m1r1a1"}'>Azure Sphere</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c4c5c8c3c1m1r1a1","sN":4,"aN":"c5c8c3c1m1r1a1"}'>

            <button type="button"   aria-expanded="false" data-m='{"id":"nn1c4c5c8c3c1m1r1a1","sN":1,"aN":"c4c5c8c3c1m1r1a1"}'>Identity and access management</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c4c5c8c3c1m1r1a1","sN":2,"aN":"c4c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_70" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/active-directory/" data-m='{"id":"n1c2c4c5c8c3c1m1r1a1","sN":1,"aN":"c2c4c5c8c3c1m1r1a1"}'>Azure Active Directory</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c4c5c8c3c1m1r1a1","sN":3,"aN":"c4c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_71" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/account/authenticator" data-m='{"id":"n1c3c4c5c8c3c1m1r1a1","sN":1,"aN":"c3c4c5c8c3c1m1r1a1"}'>Microsoft Authenticator</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c4c5c8c3c1m1r1a1","sN":4,"aN":"c4c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_72" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/security/identity-defender" data-m='{"id":"n1c4c4c5c8c3c1m1r1a1","sN":1,"aN":"c4c4c5c8c3c1m1r1a1"}'>Microsoft Defender for Identity</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c5c5c8c3c1m1r1a1","sN":5,"aN":"c5c8c3c1m1r1a1"}'>

            <button type="button"   aria-expanded="false" data-m='{"id":"nn1c5c5c8c3c1m1r1a1","sN":1,"aN":"c5c5c8c3c1m1r1a1"}'>Network security</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c5c5c8c3c1m1r1a1","sN":2,"aN":"c5c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_74" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/application-gateway/" data-m='{"id":"n1c2c5c5c8c3c1m1r1a1","sN":1,"aN":"c2c5c5c8c3c1m1r1a1"}'>Azure Application Gateway</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c5c5c8c3c1m1r1a1","sN":3,"aN":"c5c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_75" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/vpn-gateway/" data-m='{"id":"n1c3c5c5c8c3c1m1r1a1","sN":1,"aN":"c3c5c5c8c3c1m1r1a1"}'>Azure VPN Gateway</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c5c5c8c3c1m1r1a1","sN":4,"aN":"c5c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_76" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/ddos-protection/" data-m='{"id":"n1c4c5c5c8c3c1m1r1a1","sN":1,"aN":"c4c5c5c8c3c1m1r1a1"}'>Azure DDoS Protection</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c5c5c8c3c1m1r1a1","sN":5,"aN":"c5c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_77" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/firewall-manager/" data-m='{"id":"n1c5c5c5c8c3c1m1r1a1","sN":1,"aN":"c5c5c5c8c3c1m1r1a1"}'>Azure Firewall manager</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c6c5c5c8c3c1m1r1a1","sN":6,"aN":"c5c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_78" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/frontdoor/" data-m='{"id":"n1c6c5c5c8c3c1m1r1a1","sN":1,"aN":"c6c5c5c8c3c1m1r1a1"}'>Azure Front-door</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c7c5c5c8c3c1m1r1a1","sN":7,"aN":"c5c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_79" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/web-application-firewall/" data-m='{"id":"n1c7c5c5c8c3c1m1r1a1","sN":1,"aN":"c7c5c5c8c3c1m1r1a1"}'>Azure Web Application Firewall</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c6c5c8c3c1m1r1a1","sN":6,"aN":"c5c8c3c1m1r1a1"}'>

            <button type="button"   aria-expanded="false" data-m='{"id":"nn1c6c5c8c3c1m1r1a1","sN":1,"aN":"c6c5c8c3c1m1r1a1"}'>Security posture</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c6c5c8c3c1m1r1a1","sN":2,"aN":"c6c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_81" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/security-center/" data-m='{"id":"n1c2c6c5c8c3c1m1r1a1","sN":1,"aN":"c2c6c5c8c3c1m1r1a1"}'>Azure Security Center</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c6c5c8c3c1m1r1a1","sN":3,"aN":"c6c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_82" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/microsoft-secure-score" data-m='{"id":"n1c3c6c5c8c3c1m1r1a1","sN":1,"aN":"c3c6c5c8c3c1m1r1a1"}'>Microsoft Secure Score</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c7c5c8c3c1m1r1a1","sN":7,"aN":"c5c8c3c1m1r1a1"}'>

            <button type="button"   aria-expanded="false" data-m='{"id":"nn1c7c5c8c3c1m1r1a1","sN":1,"aN":"c7c5c8c3c1m1r1a1"}'>SIEM and XDR</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c7c5c8c3c1m1r1a1","sN":2,"aN":"c7c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_84" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/azure-sentinel/" data-m='{"id":"n1c2c7c5c8c3c1m1r1a1","sN":1,"aN":"c2c7c5c8c3c1m1r1a1"}'>Azure Sentinel</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c7c5c8c3c1m1r1a1","sN":3,"aN":"c7c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_85" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender" data-m='{"id":"n1c3c7c5c8c3c1m1r1a1","sN":1,"aN":"c3c7c5c8c3c1m1r1a1"}'>Microsoft 365 Defender</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c7c5c8c3c1m1r1a1","sN":4,"aN":"c7c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_86" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/en-us/services/azure-defender/" data-m='{"id":"n1c4c7c5c8c3c1m1r1a1","sN":1,"aN":"c4c7c5c8c3c1m1r1a1"}'>Azure Defender</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c7c5c8c3c1m1r1a1","sN":5,"aN":"c7c5c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_87" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/threat-protection" data-m='{"id":"n1c5c7c5c8c3c1m1r1a1","sN":1,"aN":"c5c7c5c8c3c1m1r1a1"}'>SIEM and XDR overview</a>
            
        </li>
            </ul>
            
        </li>
                                                    
                                </ul>
                            </div>
                        </li>                        <li class="single-link js-nav-menu uhf-menu-item">
                            <a id="c-shellmenu_88" class="c-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/operations" data-m='{"id":"n6c8c3c1m1r1a1","sN":6,"aN":"c8c3c1m1r1a1"}'>Operations</a>
                        </li>
                        <li class="nested-menu uhf-menu-item">
                            <div class="c-uhf-menu js-nav-menu">
                                <button type="button" id="c-shellmenu_89"  aria-expanded="false" data-m='{"id":"nn7c8c3c1m1r1a1","sN":7,"aN":"c8c3c1m1r1a1"}'>Partners</button>

                                <ul class="" data-class-idn="" aria-hidden="true" data-m='{"cT":"Container","id":"c8c8c3c1m1r1a1","sN":8,"aN":"c8c3c1m1r1a1"}'>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c1c8c8c3c1m1r1a1","sN":1,"aN":"c8c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_90" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/partnerships" data-m='{"id":"n1c1c8c8c3c1m1r1a1","sN":1,"aN":"c1c8c8c3c1m1r1a1"}'>Partners Overview</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c8c8c3c1m1r1a1","sN":2,"aN":"c8c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_91" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/find-a-partner" data-m='{"id":"n1c2c8c8c3c1m1r1a1","sN":1,"aN":"c2c8c8c3c1m1r1a1"}'>Find a partner</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c8c8c3c1m1r1a1","sN":3,"aN":"c8c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_92" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/intelligent-security-association" data-m='{"id":"n1c3c8c8c3c1m1r1a1","sN":1,"aN":"c3c8c8c3c1m1r1a1"}'>Security Association</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c8c8c3c1m1r1a1","sN":4,"aN":"c8c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_93" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/government" data-m='{"id":"n1c4c8c8c3c1m1r1a1","sN":1,"aN":"c4c8c8c3c1m1r1a1"}'>Government partners</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c8c8c3c1m1r1a1","sN":5,"aN":"c8c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_94" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/industry-alliances" data-m='{"id":"n1c5c8c8c3c1m1r1a1","sN":1,"aN":"c5c8c8c3c1m1r1a1"}'>Industry Alliances</a>
            
        </li>
                                                    
                                </ul>
                            </div>
                        </li>                        <li class="nested-menu uhf-menu-item">
                            <div class="c-uhf-menu js-nav-menu">
                                <button type="button" id="c-shellmenu_95"  aria-expanded="false" data-m='{"id":"nn9c8c3c1m1r1a1","sN":9,"aN":"c8c3c1m1r1a1"}'>Resources</button>

                                <ul class="" data-class-idn="" aria-hidden="true" data-m='{"cT":"Container","id":"c10c8c3c1m1r1a1","sN":10,"aN":"c8c3c1m1r1a1"}'>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c1c10c8c3c1m1r1a1","sN":1,"aN":"c10c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_96" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/security-fundamentals" data-m='{"id":"n1c1c10c8c3c1m1r1a1","sN":1,"aN":"c1c10c8c3c1m1r1a1"}'>Security fundamentals</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c10c8c3c1m1r1a1","sN":2,"aN":"c10c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_97" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/resources" data-m='{"id":"n1c2c10c8c3c1m1r1a1","sN":1,"aN":"c2c10c8c3c1m1r1a1"}'>Webcasts, whitepapers &amp; more</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c10c8c3c1m1r1a1","sN":3,"aN":"c10c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_98" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/security-intelligence-report" data-m='{"id":"n1c3c10c8c3c1m1r1a1","sN":1,"aN":"c3c10c8c3c1m1r1a1"}'>Intelligence</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c10c8c3c1m1r1a1","sN":4,"aN":"c10c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_99" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security/business/events" data-m='{"id":"n1c4c10c8c3c1m1r1a1","sN":1,"aN":"c4c10c8c3c1m1r1a1"}'>Events</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c10c8c3c1m1r1a1","sN":5,"aN":"c10c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_100" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/security/blog/" data-m='{"id":"n1c5c10c8c3c1m1r1a1","sN":1,"aN":"c5c10c8c3c1m1r1a1"}'>Security blog</a>
            
        </li>
                                                    
                                </ul>
                            </div>
                        </li>                        <li class="nested-menu uhf-menu-item">
                            <div class="c-uhf-menu js-nav-menu">
                                <button type="button" id="c-shellmenu_101"  aria-expanded="false" data-m='{"id":"nn11c8c3c1m1r1a1","sN":11,"aN":"c8c3c1m1r1a1"}'>Trust Center</button>

                                <ul class="" data-class-idn="" aria-hidden="true" data-m='{"cT":"Container","id":"c12c8c3c1m1r1a1","sN":12,"aN":"c8c3c1m1r1a1"}'>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c1c12c8c3c1m1r1a1","sN":1,"aN":"c12c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_102" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/trust-center" data-m='{"id":"n1c1c12c8c3c1m1r1a1","sN":1,"aN":"c1c12c8c3c1m1r1a1"}'>Trust Center</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c2c12c8c3c1m1r1a1","sN":2,"aN":"c12c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_103" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/security" data-m='{"id":"n1c2c12c8c3c1m1r1a1","sN":1,"aN":"c2c12c8c3c1m1r1a1"}'>Security</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c3c12c8c3c1m1r1a1","sN":3,"aN":"c12c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_104" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/trust-center/privacy" data-m='{"id":"n1c3c12c8c3c1m1r1a1","sN":1,"aN":"c3c12c8c3c1m1r1a1"}'>Privacy</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c4c12c8c3c1m1r1a1","sN":4,"aN":"c12c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_105" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/trust-center/compliance/compliance-overview" data-m='{"id":"n1c4c12c8c3c1m1r1a1","sN":1,"aN":"c4c12c8c3c1m1r1a1"}'>Compliance</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cT":"Container","id":"c5c12c8c3c1m1r1a1","sN":5,"aN":"c12c8c3c1m1r1a1"}'>
            <a id="c-shellmenu_106" class="js-subm-uhf-nav-link" href="https://servicetrust.microsoft.com/ViewPage/HomePage" data-m='{"id":"n1c5c12c8c3c1m1r1a1","sN":1,"aN":"c5c12c8c3c1m1r1a1"}'>Service Trust Portal</a>
            
        </li>
                                                    
                                </ul>
                            </div>
                        </li>

                <li id="overflow-menu" class="overflow-menu x-hidden uhf-menu-item">
                        <div class="c-uhf-menu js-nav-menu">
        <button data-m='{"pid":"More","id":"nn13c8c3c1m1r1a1","sN":13,"aN":"c8c3c1m1r1a1"}' type="button" aria-label="More" aria-expanded="false">More</button>
        <ul id="overflow-menu-list" aria-hidden="true" class="overflow-menu-list">
        </ul>
    </div>

                </li>
                            </ul>
            
        </nav>


            <div class="c-uhfh-actions" data-m='{"cN":"Header actions_cont","cT":"Container","id":"c9c3c1m1r1a1","sN":9,"aN":"c3c1m1r1a1"}'>
                <div class="wf-menu">        <nav id="uhf-c-nav" data-m='{"cN":"GlobalNav_cont","cT":"Container","id":"c1c9c3c1m1r1a1","sN":1,"aN":"c9c3c1m1r1a1"}'>
            <ul class="js-paddle-items">
                <li>
                    <div class="c-uhf-menu js-nav-menu">
                        <button type="button" class="c-button-logo all-ms-nav" aria-label="All Microsoft expand to see list of Microsoft products and services" aria-expanded="false" data-m='{"cN":"GlobalNav_More_nonnav","id":"nn1c1c9c3c1m1r1a1","sN":1,"aN":"c1c9c3c1m1r1a1"}'> <span>All Microsoft</span></button>
                        <ul class="f-multi-column f-multi-column-6" aria-hidden="true" data-m='{"cN":"More_cont","cT":"Container","id":"c2c1c9c3c1m1r1a1","sN":2,"aN":"c1c9c3c1m1r1a1"}'>
                                    <li class="c-w0-contr">
            <ul class="c-w0">
        <li class="js-nav-menu single-link" data-m='{"cN":"Microsoft 365_cont","cT":"Container","id":"c1c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_0" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/business/all-business" data-m='{"cN":"W0Nav_Microsoft 365_nav","id":"n1c1c2c1c9c3c1m1r1a1","sN":1,"aN":"c1c2c1c9c3c1m1r1a1"}'>Microsoft 365</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Azure_cont","cT":"Container","id":"c2c2c1c9c3c1m1r1a1","sN":2,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_1" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com" data-m='{"cN":"W0Nav_Azure_nav","id":"n1c2c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c2c1c9c3c1m1r1a1"}'>Azure</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Office 365_cont","cT":"Container","id":"c3c2c1c9c3c1m1r1a1","sN":3,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_2" class="js-subm-uhf-nav-link" href="https://products.office.com/en-us/business/office" data-m='{"cN":"W0Nav_Office 365_nav","id":"n1c3c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c2c1c9c3c1m1r1a1"}'>Office 365</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Dynamics 365_cont","cT":"Container","id":"c4c2c1c9c3c1m1r1a1","sN":4,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_3" class="js-subm-uhf-nav-link" href="https://dynamics.microsoft.com/en-us/" data-m='{"cN":"W0Nav_Dynamics 365_nav","id":"n1c4c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c2c1c9c3c1m1r1a1"}'>Dynamics 365</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Power Platform_cont","cT":"Container","id":"c5c2c1c9c3c1m1r1a1","sN":5,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_4" class="js-subm-uhf-nav-link" href="https://powerplatform.microsoft.com/en-us" data-m='{"cN":"W0Nav_Power Platform_nav","id":"n1c5c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c2c1c9c3c1m1r1a1"}'>Power Platform</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Windows 10_cont","cT":"Container","id":"c6c2c1c9c3c1m1r1a1","sN":6,"aN":"c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_5" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/microsoft-365/windows" data-m='{"cN":"W0Nav_Windows 10_nav","id":"n1c6c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c2c1c9c3c1m1r1a1"}'>Windows 10</a>
            
        </li>
            </ul>
        </li>

        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c7c2c1c9c3c1m1r1a1","sN":7,"aN":"c2c1c9c3c1m1r1a1"}'>

            <button type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c2c1c9c3c1m1r1a1"}'>Products &amp; Services</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cN":"More_ProductsandServices_WindowsServer_cont","cT":"Container","id":"c2c7c2c1c9c3c1m1r1a1","sN":2,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_8" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/cloud-platform/windows-server" data-m='{"cN":"GlobalNav_More_ProductsandServices_WindowsServer_nav","id":"n1c2c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c7c2c1c9c3c1m1r1a1"}'>Windows Server</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_ProductsandServices_EnterpriseMobilityandSecurity_cont","cT":"Container","id":"c3c7c2c1c9c3c1m1r1a1","sN":3,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_9" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/cloud-platform/enterprise-mobility-security" data-m='{"cN":"GlobalNav_More_ProductsandServices_EnterpriseMobilityandSecurity_nav","id":"n1c3c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c7c2c1c9c3c1m1r1a1"}'>Enterprise Mobility + Security</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_ProductsandServices_PowerBI_cont","cT":"Container","id":"c4c7c2c1c9c3c1m1r1a1","sN":4,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_10" class="js-subm-uhf-nav-link" href="https://powerbi.microsoft.com/en-us/" data-m='{"cN":"GlobalNav_More_ProductsandServices_PowerBI_nav","id":"n1c4c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c7c2c1c9c3c1m1r1a1"}'>Power BI</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_ProductsandServices_Teams_cont","cT":"Container","id":"c5c7c2c1c9c3c1m1r1a1","sN":5,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_11" class="js-subm-uhf-nav-link" href="https://products.office.com/en-us/microsoft-teams/group-chat-software" data-m='{"cN":"GlobalNav_More_ProductsandServices_Teams_nav","id":"n1c5c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c7c2c1c9c3c1m1r1a1"}'>Teams</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"DeveloperAndIT_VisualStudio_cont","cT":"Container","id":"c6c7c2c1c9c3c1m1r1a1","sN":6,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_12" class="js-subm-uhf-nav-link" href="https://visualstudio.microsoft.com/" data-m='{"cN":"GlobalNav_DeveloperAndIT_VisualStudio_nav","id":"n1c6c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c7c2c1c9c3c1m1r1a1"}'>Visual Studio</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_MicrosoftAdvertising_cont","cT":"Container","id":"c7c7c2c1c9c3c1m1r1a1","sN":7,"aN":"c7c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_13" class="js-subm-uhf-nav-link" href="https://go.microsoft.com/fwlink/?linkid=2026462" data-m='{"cN":"GlobalNav_More_MicrosoftAdvertising_nav","id":"n1c7c7c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c7c2c1c9c3c1m1r1a1"}'>Microsoft Advertising</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c8c2c1c9c3c1m1r1a1","sN":8,"aN":"c2c1c9c3c1m1r1a1"}'>

            <button type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c8c2c1c9c3c1m1r1a1"}'>Emerging Technologies</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cN":"More_EmergingTechnologies_AI_cont","cT":"Container","id":"c2c8c2c1c9c3c1m1r1a1","sN":2,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_15" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/ai/" data-m='{"cN":"GlobalNav_More_EmergingTechnologies_AI_nav","id":"n1c2c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c8c2c1c9c3c1m1r1a1"}'>AI</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_EmergingTechnologies_InternetofThings_cont","cT":"Container","id":"c3c8c2c1c9c3c1m1r1a1","sN":3,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_16" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/internet-of-things/" data-m='{"cN":"GlobalNav_More_EmergingTechnologies_InternetofThings_nav","id":"n1c3c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c8c2c1c9c3c1m1r1a1"}'>Internet of Things</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_EmergingTechnologies_AzureCognitiveServices_cont","cT":"Container","id":"c4c8c2c1c9c3c1m1r1a1","sN":4,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_17" class="js-subm-uhf-nav-link" href="https://azure.microsoft.com/services/cognitive-services/" data-m='{"cN":"GlobalNav_More_EmergingTechnologies_AzureCognitiveServices_nav","id":"n1c4c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c8c2c1c9c3c1m1r1a1"}'>Azure Cognitive Services</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_EmergingTechnologies_Quantum_cont","cT":"Container","id":"c5c8c2c1c9c3c1m1r1a1","sN":5,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_18" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/quantum/" data-m='{"cN":"GlobalNav_More_EmergingTechnologies_Quantum_nav","id":"n1c5c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c8c2c1c9c3c1m1r1a1"}'>Quantum</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_PCsAndDevices_MicrosoftHololens_cont","cT":"Container","id":"c6c8c2c1c9c3c1m1r1a1","sN":6,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_19" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/hololens" data-m='{"cN":"GlobalNav_More_PCsAndDevices_MicrosoftHololens_nav","id":"n1c6c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c8c2c1c9c3c1m1r1a1"}'>Microsoft HoloLens</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_PCsAndDevices_VMAndMixedReality_cont","cT":"Container","id":"c7c8c2c1c9c3c1m1r1a1","sN":7,"aN":"c8c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_20" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/mixed-reality" data-m='{"cN":"GlobalNav_More_PCsAndDevices_VMAndMixedReality_nav","id":"n1c7c8c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c8c2c1c9c3c1m1r1a1"}'>Mixed Reality</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c9c2c1c9c3c1m1r1a1","sN":9,"aN":"c2c1c9c3c1m1r1a1"}'>

            <button type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c9c2c1c9c3c1m1r1a1"}'>Developer &amp; IT</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cN":"More_DeveloperAndIT_Docs.microsoft.com_cont","cT":"Container","id":"c2c9c2c1c9c3c1m1r1a1","sN":2,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_22" class="js-subm-uhf-nav-link" href="https://docs.microsoft.com/en-us/" data-m='{"cN":"GlobalNav_More_DeveloperAndIT_Docs.microsoft.com_nav","id":"n1c2c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c9c2c1c9c3c1m1r1a1"}'>Docs</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_DeveloperAndIT_DeveloperCenter_cont","cT":"Container","id":"c3c9c2c1c9c3c1m1r1a1","sN":3,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_23" class="js-subm-uhf-nav-link" href="https://developer.microsoft.com/" data-m='{"cN":"GlobalNav_More_DeveloperAndIT_DeveloperCenter_nav","id":"n1c3c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c9c2c1c9c3c1m1r1a1"}'>Developer Center</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_DeveloperAndIT_WindowsDevCenter_cont","cT":"Container","id":"c4c9c2c1c9c3c1m1r1a1","sN":4,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_24" class="js-subm-uhf-nav-link" href="https://developer.microsoft.com/en-us/windows" data-m='{"cN":"GlobalNav_More_DeveloperAndIT_WindowsDevCenter_nav","id":"n1c4c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c9c2c1c9c3c1m1r1a1"}'>Windows Dev Center</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_DeveloperAndIT_Windows_IT_Pro_Center_cont","cT":"Container","id":"c5c9c2c1c9c3c1m1r1a1","sN":5,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_25" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/itpro/windows" data-m='{"cN":"GlobalNav_More_DeveloperAndIT_Windows_IT_Pro_Center_nav","id":"n1c5c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c9c2c1c9c3c1m1r1a1"}'>Windows IT Pro Center</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_DeveloperAndIT_FastTrack_cont","cT":"Container","id":"c6c9c2c1c9c3c1m1r1a1","sN":6,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_26" class="js-subm-uhf-nav-link" href="https://fasttrack.microsoft.com/office" data-m='{"cN":"GlobalNav_More_DeveloperAndIT_FastTrack_nav","id":"n1c6c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c9c2c1c9c3c1m1r1a1"}'>FastTrack</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_DeveloperAndIT_Power Platform_cont","cT":"Container","id":"c7c9c2c1c9c3c1m1r1a1","sN":7,"aN":"c9c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_27" class="js-subm-uhf-nav-link" href="https://powerplatform.microsoft.com/en-us" data-m='{"cN":"GlobalNav_More_DeveloperAndIT_Power Platform_nav","id":"n1c7c9c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c9c2c1c9c3c1m1r1a1"}'>Power Platform</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c10c2c1c9c3c1m1r1a1","sN":10,"aN":"c2c1c9c3c1m1r1a1"}'>

            <button type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c10c2c1c9c3c1m1r1a1"}'>Partner</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_PartnerNetwork_cont","cT":"Container","id":"c2c10c2c1c9c3c1m1r1a1","sN":2,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_29" class="js-subm-uhf-nav-link" href="https://partner.microsoft.com/" data-m='{"cN":"GlobalNav_More_Partner_PartnerNetwork_nav","id":"n1c2c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c10c2c1c9c3c1m1r1a1"}'>Partner Network</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_SolutionProviders_cont","cT":"Container","id":"c3c10c2c1c9c3c1m1r1a1","sN":3,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_30" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/solution-providers" data-m='{"cN":"GlobalNav_More_Partner_SolutionProviders_nav","id":"n1c3c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c10c2c1c9c3c1m1r1a1"}'>Solution Providers</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_PartnerCenter_cont","cT":"Container","id":"c4c10c2c1c9c3c1m1r1a1","sN":4,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_31" class="js-subm-uhf-nav-link" href="https://partnercenter.microsoft.com/partner/home" data-m='{"cN":"GlobalNav_More_Partner_PartnerCenter_nav","id":"n1c4c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c10c2c1c9c3c1m1r1a1"}'>Partner Center</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Partner_CloudHosting_cont","cT":"Container","id":"c5c10c2c1c9c3c1m1r1a1","sN":5,"aN":"c10c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_32" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/cloudandhosting" data-m='{"cN":"GlobalNav_More_Partner_CloudHosting_nav","id":"n1c5c10c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c10c2c1c9c3c1m1r1a1"}'>Cloud Hosting</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c11c2c1c9c3c1m1r1a1","sN":11,"aN":"c2c1c9c3c1m1r1a1"}'>

            <button type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c11c2c1c9c3c1m1r1a1","sN":1,"aN":"c11c2c1c9c3c1m1r1a1"}'>Industries</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cN":"Products_ForStudentsAndEducators_Education_cont","cT":"Container","id":"c2c11c2c1c9c3c1m1r1a1","sN":2,"aN":"c11c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_34" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/education?icid=CNavMSCOML0_Studentsandeducation" data-m='{"cN":"GlobalNav_Products_ForStudentsAndEducators_Education_nav","id":"n1c2c11c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c11c2c1c9c3c1m1r1a1"}'>Education</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Footer_Enterprise_FinanciaServices_cont","cT":"Container","id":"c3c11c2c1c9c3c1m1r1a1","sN":3,"aN":"c11c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_35" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/enterprise/financial-services/banking-and-capital-markets" data-m='{"cN":"GlobalNav_Footer_Enterprise_FinanciaServices_nav","id":"n1c3c11c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c11c2c1c9c3c1m1r1a1"}'>Financial services</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Government_cont","cT":"Container","id":"c4c11c2c1c9c3c1m1r1a1","sN":4,"aN":"c11c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_36" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/enterprise/government" data-m='{"cN":"GlobalNav_More_Industries_Government_nav","id":"n1c4c11c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c11c2c1c9c3c1m1r1a1"}'>Government</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Health_cont","cT":"Container","id":"c5c11c2c1c9c3c1m1r1a1","sN":5,"aN":"c11c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_37" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/enterprise/health" data-m='{"cN":"GlobalNav_More_Industries_Health_nav","id":"n1c5c11c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c11c2c1c9c3c1m1r1a1"}'>Health</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"Footer_Enterprise_Health_cont","cT":"Container","id":"c6c11c2c1c9c3c1m1r1a1","sN":6,"aN":"c11c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_38" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/enterprise/manufacturing" data-m='{"cN":"GlobalNav_Footer_Enterprise_Health_nav","id":"n1c6c11c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c11c2c1c9c3c1m1r1a1"}'>Manufacturing &amp; resources</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Industries_Retail_cont","cT":"Container","id":"c7c11c2c1c9c3c1m1r1a1","sN":7,"aN":"c11c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_39" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/en-us/enterprise/retail-consumer-goods" data-m='{"cN":"GlobalNav_More_Industries_Retail_nav","id":"n1c7c11c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c11c2c1c9c3c1m1r1a1"}'>Retail</a>
            
        </li>
            </ul>
            
        </li>
        <li class="f-sub-menu js-nav-menu nested-menu" data-m='{"cT":"Container","id":"c12c2c1c9c3c1m1r1a1","sN":12,"aN":"c2c1c9c3c1m1r1a1"}'>

            <button type="button"   f-multi-parent="true" aria-expanded="false" data-m='{"id":"nn1c12c2c1c9c3c1m1r1a1","sN":1,"aN":"c12c2c1c9c3c1m1r1a1"}'>Other</button>
            <ul aria-hidden="true">
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Other_Security_cont","cT":"Container","id":"c2c12c2c1c9c3c1m1r1a1","sN":2,"aN":"c12c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_41" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/security/" data-m='{"cN":"GlobalNav_More_Other_Security_nav","id":"n1c2c12c2c1c9c3c1m1r1a1","sN":1,"aN":"c2c12c2c1c9c3c1m1r1a1"}'>Security</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Other_Licensing_cont","cT":"Container","id":"c3c12c2c1c9c3c1m1r1a1","sN":3,"aN":"c12c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_42" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/licensing/" data-m='{"cN":"GlobalNav_More_Other_Licensing_nav","id":"n1c3c12c2c1c9c3c1m1r1a1","sN":1,"aN":"c3c12c2c1c9c3c1m1r1a1"}'>Licensing</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Other_AppSource_cont","cT":"Container","id":"c4c12c2c1c9c3c1m1r1a1","sN":4,"aN":"c12c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_43" class="js-subm-uhf-nav-link" href="https://appsource.microsoft.com/" data-m='{"cN":"GlobalNav_More_Other_AppSource_nav","id":"n1c4c12c2c1c9c3c1m1r1a1","sN":1,"aN":"c4c12c2c1c9c3c1m1r1a1"}'>AppSource</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Other_AzureMarketplace_cont","cT":"Container","id":"c5c12c2c1c9c3c1m1r1a1","sN":5,"aN":"c12c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_44" class="js-subm-uhf-nav-link" href="https://azuremarketplace.microsoft.com/marketplace/" data-m='{"cN":"GlobalNav_More_Other_AzureMarketplace_nav","id":"n1c5c12c2c1c9c3c1m1r1a1","sN":1,"aN":"c5c12c2c1c9c3c1m1r1a1"}'>Azure Marketplace</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_Other_Events_cont","cT":"Container","id":"c6c12c2c1c9c3c1m1r1a1","sN":6,"aN":"c12c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_45" class="js-subm-uhf-nav-link" href="https://events.microsoft.com/" data-m='{"cN":"GlobalNav_More_Other_Events_nav","id":"n1c6c12c2c1c9c3c1m1r1a1","sN":1,"aN":"c6c12c2c1c9c3c1m1r1a1"}'>Events</a>
            
        </li>
        <li class="js-nav-menu single-link" data-m='{"cN":"More_EmergingTechnologies_Research_cont","cT":"Container","id":"c7c12c2c1c9c3c1m1r1a1","sN":7,"aN":"c12c2c1c9c3c1m1r1a1"}'>
            <a id="shellmenu_46" class="js-subm-uhf-nav-link" href="https://www.microsoft.com/research/" data-m='{"cN":"GlobalNav_More_EmergingTechnologies_Research_nav","id":"n1c7c12c2c1c9c3c1m1r1a1","sN":1,"aN":"c7c12c2c1c9c3c1m1r1a1"}'>Research</a>
            
        </li>
            </ul>
            
        </li>
                                                            <li class="f-multi-column-info">
                                    <a data-m='{"id":"n13c2c1c9c3c1m1r1a1","sN":13,"aN":"c2c1c9c3c1m1r1a1"}' href="https://www.microsoft.com/en-us/sitemap.aspx" aria-label="" class="c-glyph">View Sitemap</a>
                                </li>
                            
                        </ul>
                    </div>
                </li>
            </ul>
        </nav>
</div>
                            <form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/search" method="GET" data-seAutoSuggest='{"queryParams":{"market":"en-us","clientId":"7F27B536-CF6B-4C65-8638-A0F8CBDFCA65","sources":"Iris-Products,DCatAll-Products,Microsoft-Terms","filter":"+ClientType:StoreWeb","counts":"1,5,5"},"familyNames":{"Apps":"App","Books":"Book","Bundles":"Bundle","Devices":"Device","Fees":"Fee","Games":"Game","MusicAlbums":"Album","MusicTracks":"Song","MusicVideos":"Video","MusicArtists":"Artist","OperatingSystem":"Operating System","Software":"Software","Movies":"Movie","TV":"TV","CSV":"Gift Card","VideoActor":"Actor"}}' data-seautosuggestapi="https://www.microsoft.com/services/api/v3/suggest" data-m='{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}' aria-expanded="false">
                                <input id="cli_shellHeaderSearchInput" aria-label="search expanded" aria-autocomplete="list" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search" name="q" placeholder="Search Microsoft.com" data-m='{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}' />
                                    <button id="search" aria-label="Search Microsoft.com" class="c-glyph" data-m='{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}' data-bi-dnt="true" data-bi-mto="true" aria-expanded="false">
                                        <span role="presentation">Search</span>
                                        <span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip">Search Microsoft.com</span>
                                    </button>
                                <div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group">
                                    <ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll" data-m='{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}'></ul>
                                </div>
                                
                            </form>
                        <button data-m='{"cN":"cancel-search","pid":"Cancel Search","id":"nn4c1c9c3c1m1r1a1","sN":4,"aN":"c1c9c3c1m1r1a1"}' id="cancel-search" class="cancel-search" aria-label="Cancel Search">
                            <span>Cancel</span>
                        </button>
                        <div id="meControl" class="c-me"  data-signinsettings='{"containerId":"meControl","enabled":true,"headerHeight":48,"debug":false,"extensibleLinks":[],"userData":{"idp":"msa","firstName":"","lastName":"","memberName":"","cid":"","authenticatedState":"3"},"rpData":{"preferredIdp":"msa","msaInfo":{"signInUrl":"/en-us/store/signin","signOutUrl":"/en-us/store/signout","meUrl":"https://login.live.com/me.srf?wa=wsignin1.0"},"aadInfo":{"signOutUrl":"/en-us/store/signout","appId":"","siteUrl":"","blockMsaFed":true}}}' data-m='{"cN":"GlobalNav_Account_cont","cT":"Container","id":"c5c1c9c3c1m1r1a1","sN":5,"aN":"c1c9c3c1m1r1a1"}'>
                            <div class="msame_Header">
                                <div class="msame_Header_name st_msame_placeholder">Sign in</div>
                            </div>
                            
                        </div>
                
            </div>
        </div>
        
        
    </div>
    
</header>




    </div>
        </div>

    </div>		<!-- end universal footer -->

			<section data-grid="col-12" class="m-highlight-feature f-lean single-post-hero no-image" itemscope itemtype="https://schema.org/Product">
		<div>
			
	<time class="entry-date published" datetime="2020-12-18T14:15:14-08:00">
		December 18, 2020	</time>


			<h1 class="c-heading">
				Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers			</h1>

			<div class="author-information">
				<div class="author-details">
					<ul class="authors">
							<li class="author-item">
		<span class="author-name">Microsoft 365 Defender Research Team</span>
			</li>
		<li class="author-item">
		<span class="author-name">Microsoft Threat Intelligence Center (MSTIC)</span>
			</li>
						</ul>
				</div>
			</div>
		</div>
	</section>
		<section class="wrap" data-grid="container stack-3">
		<main id="mainContent" class="primary" role="main" data-grid="col-12">

			
<article class="post-92422 post type-post status-publish format-standard has-post-thumbnail hentry category-cybersecurity category-endpoint-security category-incident-response category-microsoft-security-intelligence tag-microsoft-security-intelligence tag-solorigate tag-supply-chain-attacks content-type-research">


	<style>
	#social-share {
		box-sizing: border-box;
		padding-bottom: 1rem;
		position: relative;
	}

	#social-share *,
	#social-share *::after,
	#social-share *::before {
		box-sizing: inherit;
	}

	#social-share .socal-share__button {
		align-items: center;
		appearance: none;
		background: none;
		border: none;
		color: black;
		display: inline-flex;
		font-size: 1rem;
		padding: 0;
		text-decoration: none;
	}

	#social-share .socal-share__button::before {
		background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'%3E%3Cpath d='M509.053 371.184c-5.903-22.032-20.033-40.446-39.787-51.85a87.084 87.084 0 00-6.317-3.286 211.116 211.116 0 001.493-24.947c0-43.031-13.007-84.342-37.613-119.467-21.785-31.098-51.183-55.387-85.514-70.773.035-1.002.077-2.003.077-3.012 0-47.086-38.307-85.392-85.392-85.392s-85.392 38.307-85.392 85.392c0 1.011.042 2.011.077 3.012-34.331 15.387-63.729 39.676-85.514 70.773-24.606 35.124-37.613 76.435-37.613 119.466 0 8.34.508 16.688 1.493 24.946a87.084 87.084 0 00-6.317 3.286C22.98 330.738 8.85 349.152 2.946 371.184c-5.903 22.032-2.874 45.044 8.531 64.797 11.404 19.753 29.818 33.883 51.85 39.787a85.838 85.838 0 0022.24 2.947c14.796 0 29.4-3.881 42.557-11.477a86.848 86.848 0 008.233-5.423c35.111 24.724 76.211 37.73 119.642 37.73s84.532-13.007 119.642-37.73a86.91 86.91 0 008.233 5.423c13.159 7.597 27.76 11.478 42.557 11.477 7.416 0 14.884-.975 22.24-2.947 22.032-5.903 40.446-20.033 51.85-39.787 11.406-19.753 14.436-42.764 8.532-64.797zM256 42.833c30.335 0 55.014 24.68 55.014 55.014 0 30.334-24.68 55.014-55.014 55.014s-55.014-24.679-55.014-55.014c0-30.335 24.679-55.014 55.014-55.014zM138.568 407.526c-3.804 14.193-12.907 26.056-25.633 33.404-12.726 7.346-27.551 9.299-41.746 5.496-14.195-3.803-26.057-12.907-33.405-25.633s-9.3-27.552-5.496-41.746c3.803-14.195 12.907-26.057 25.633-33.405 8.477-4.894 17.884-7.394 27.418-7.394 4.777 0 9.589.629 14.327 1.899 14.195 3.803 26.057 12.907 33.406 25.633 7.347 12.726 9.3 27.551 5.496 41.746zm205.52 7.86a85.6 85.6 0 0010.571 23.989c-29.194 19.536-63.007 29.789-98.66 29.789-35.652.001-69.465-10.253-98.659-29.789a85.566 85.566 0 0010.57-23.989c5.903-22.032 2.874-45.044-8.531-64.797s-29.819-33.883-51.851-39.787c-9.525-2.553-19.233-3.428-28.782-2.685a180.56 180.56 0 01-.812-17.017c0-67.838 39.381-130.144 99.494-159.826 13.034 30.52 43.343 51.964 78.571 51.964s65.537-21.446 78.571-51.964c60.113 29.682 99.494 91.988 99.494 159.826 0 5.684-.277 11.37-.812 17.018-9.549-.742-19.257.133-28.782 2.684-22.032 5.903-40.446 20.033-51.851 39.787-11.405 19.754-14.434 42.765-8.531 64.797zm130.127 5.407c-7.347 12.726-19.211 21.83-33.404 25.633-14.196 3.802-29.02 1.851-41.746-5.496-12.726-7.347-21.83-19.211-25.633-33.404-3.803-14.195-1.851-29.02 5.496-41.746 7.347-12.726 19.211-21.83 33.406-25.633a55.317 55.317 0 0114.327-1.899c9.533 0 18.942 2.5 27.418 7.394 12.726 7.347 21.83 19.211 25.633 33.405 3.802 14.194 1.85 29.019-5.497 41.746z'/%3E%3C/svg%3E");
		background-position: center;
		background-repeat: no-repeat;
		background-size: contain;
		content: "";
		display: inline-block;
		height: 1.5em;
		margin-right: 10px;
		vertical-align: bottom;
		width: 1.5em;
	}

	#social-share .socal-share__button::after {
		background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 16 16'%3E%3Cpath d='M3.146 5.646a.5.5 0 01.708 0L8 9.793l4.146-4.147a.5.5 0 01.708.708l-4.5 4.5a.5.5 0 01-.708 0l-4.5-4.5a.5.5 0 010-.708z' fill='%23212121'/%3E%3C/svg%3E");
		background-position: center;
		background-repeat: no-repeat;
		background-size: contain;
		color: currentColor;
		content: "";
		display: inline-block;
		height: 1em;
		margin-left: 7px;
		position: relative;
		top: 1px;
		width: 1em;
	}

	#social-share .social-share__dropdown-menu {
		background-color: white;
		border: 1px solid black;
		border-radius: 0;
		box-shadow: none;
		display: flex;
		flex-direction: column;
		font-size: 15px;
		left: 0;
		list-style: none;
		min-width: 160px;
		padding: 0;
		position: absolute;
		top: 100%;
		z-index: 1;
	}

	#social-share .social-share__dropdown-menu li {
		padding: 0;
	}

	#social-share .social-share__dropdown-menu[aria-hidden="true"] {
		display: none;
	}

	#social-share .social-share__dropdown-menu[aria-hidden="false"] {
		display: flex;
	}

	#social-share .social-share__dropdown-menu a {
		color: black;
		display: block;
		line-height: 2;
		padding: 0 1em 0 2em;
		text-decoration: none;
	}

	#social-share .social-share__dropdown-menu a:hover {
		background-color: #dedede;
	}

	#social-share .social-share__dropdown-menu a:focus {
		background-color: #f5f5f5;
		outline: currentColor 1px dashed;
		outline-offset: -2px;
	}

	@media print {
		#social-share .social-share__dropdown-menu,
		#social-share .social-share__dropdown-menu[aria-hidden="false"] {
			display: none;
		}
	}
</style>
<!-- Your share button code -->
<div id="social-share" class="social-share" data-bi-area="social-share">
	<button
		class="socal-share__button"
		type="button"
		id="social-share-button"
		aria-label="Open share menu for this post."
		data-bi-name="Open share menu for this post."
	>
		Share	</button>
	<ul id="social-share-dropdown-menu" class="social-share__dropdown-menu">
		<li>
			<!--  Twitter -->
			<a
				href="https://twitter.com/intent/tweet/?text=Analyzing%20Solorigate%2C%20the%20compromised%20DLL%20file%20that%20started%20a%20sophisticated%20cyberattack%2C%20and%20how%20Microsoft%20Defender%20helps%20protect%20customers&#038;url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F12%2F18%2Fanalyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect%2F"
				target="_blank"
				rel="noopener noreferrer"
				aria-label="Share on Twitter"
				data-bi-name="Share on Twitter"
			>
				Twitter			</a>
		</li>
		<li>
			<!-- LinkedIn -->
			<a
				href="https://www.linkedin.com/shareArticle?mini=true&#038;url=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F12%2F18%2Fanalyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect%2F&#038;title=Analyzing%20Solorigate%2C%20the%20compromised%20DLL%20file%20that%20started%20a%20sophisticated%20cyberattack%2C%20and%20how%20Microsoft%20Defender%20helps%20protect%20customers&#038;source=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F12%2F18%2Fanalyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect%2F"
				target="_blank"
				rel="noopener noreferrer"
				aria-label="Share on LinkedIn"
				data-bi-name="Share on LinkedIn"
			>
				LinkedIn			</a>
		</li>
		<li>
			<!-- Facebook -->
			<a
				href="https://facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F12%2F18%2Fanalyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect%2F"
				target="_blank"
				rel="noopener noreferrer"
				aria-label="Share on Facebook"
				data-bi-name="Share on Facebook"
			>
				Facebook			</a>
		</li>
		<li>
			<!-- E-Mail -->
			<a
				href="mailto:?subject=Analyzing%20Solorigate%2C%20the%20compromised%20DLL%20file%20that%20started%20a%20sophisticated%20cyberattack%2C%20and%20how%20Microsoft%20Defender%20helps%20protect%20customers&#038;body=https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F12%2F18%2Fanalyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect%2F"
				target="_self"
				rel="noopener noreferrer"
				aria-label="Share via Email"
				data-bi-name="Share via Email"
			>
				Email			</a>
		</li>
		<li>
			<a
				href="javascript:;" onclick="window.print()"
				data-bi-name="Print"
			>
				Print			</a>
		</li>
	</ul>
</div>
<script>
	( function(){

		const socialShareButton = document.getElementById('social-share-button');
		const socialShareDropdown = document.getElementById('social-share-dropdown-menu');

		socialShareButton.setAttribute('aria-expanded', false );
		socialShareButton.setAttribute('aria-haspopup', true );
		socialShareButton.setAttribute('aria-controls', 'social-share-dropdown-menu');
		socialShareDropdown.setAttribute('aria-hidden', true);

		socialShareDropdown.addEventListener('click', function(event) { event.stopPropagation(); });
		socialShareButton.addEventListener('click', function(event){
			const isOpen = ('true' === socialShareButton.getAttribute('aria-expanded'));
		   
			event.stopPropagation();

			socialShareDropdown.setAttribute('aria-hidden', isOpen);
			socialShareButton.setAttribute('aria-expanded', !isOpen);
		});
		document.addEventListener('click', function(){
			socialShareDropdown.setAttribute('aria-hidden', true);
			socialShareButton.setAttribute('aria-expanded', false);
		});
		socialShareDropdown.addEventListener('keydown', function(event){
			const shiftKey = event.shiftKey;
			const keyCode = event.keyCode;
			const links = [].slice.call( socialShareDropdown.querySelectorAll( 'a' ) );
			
			if ( 9 !== keyCode ) {
				return;
			}
			
			if ( event.target === links[0] && shiftKey || event.target === links[links.length - 1] && ! shiftKey ) {
				socialShareDropdown.setAttribute('aria-hidden', true);
				socialShareButton.setAttribute('aria-expanded', false);
			}
		});
	} )();
</script>

	
	<div class="entry-content">
		<p>We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and protections we have built in as a result.</p>
<p>While the full extent of the compromise is still being investigated by the security industry as a whole, in this blog we are sharing insights into the compromised SolarWinds Orion Platform DLL that led to this sophisticated attack. The addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations using the affected product, a widely used IT administration software used across verticals, including government and the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of almost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised networks.</p>
<p>The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline. Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes. Therefore, insertion of malicious code into the <em>SolarWinds.Orion.Core.BusinessLayer.dll </em>likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions—and keep a low profile.</p>
<p>In many of their actions, the attackers took steps to maintain a low profile. For example, the inserted malicious code is lightweight and only has the task of running a malware-added method in a parallel thread such that the DLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers named <em>OrionImprovementBusinessLayer</em> to blend in with the rest of the code. The class contains all the backdoor capabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.</p>
<p>Once loaded, the backdoor goes through an extensive list of checks to make sure it’s running in an actual enterprise network and not on an analyst’s machines. It then contacts a command-and-control (C2) server using a subdomain generated partly from information gathered from the affected device, which means a unique subdomain for each affected domain. This is another way the attackers try to evade detection.</p>
<p>With a lengthy list of functions and capabilities, this backdoor allows hands-on-keyboard attackers to perform a wide range of actions. As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.</p>
<p>&nbsp;</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92423" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig1-Solorigate-attack-chain.png" alt="Solorigate attack chain diagram" width="1676" height="1117" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig1-Solorigate-attack-chain.png 1676w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig1-Solorigate-attack-chain-300x200.png 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig1-Solorigate-attack-chain-1024x682.png 1024w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig1-Solorigate-attack-chain-768x512.png 768w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig1-Solorigate-attack-chain-1536x1024.png 1536w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig1-Solorigate-attack-chain-293x195.png 293w" sizes="(max-width: 1676px) 100vw, 1676px" /></p>
<p style="text-align: center;"><em>Figure 1. Solorigate malware infection chain</em></p>
<p>The challenge in detecting these kinds of attacks means organizations should focus on solutions that can look at different facets of network operations to detect ongoing attacks already inside the network, in addition to strong preventative protection.</p>
<p>We have previously provided <a href="https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/">guidance</a> and <a href="https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/">remediation steps</a> to help ensure that customers are empowered to address this threat. In this blog, we’ll share our in-depth analysis of the backdoor&#8217;s behavior and functions, and show why it represents a high risk for business environments. We’ll also share details of the comprehensive endpoint protection provided by <a href="https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender">Microsoft Defender for Endpoint</a>. In an upcoming blog, we’ll discuss protections across the broader <a href="https://www.microsoft.com/en-us/security/business/threat-protection/integrated-threat-protection">Microsoft 365 Defender</a>, which integrates signals from endpoints with other domains – identities, data, cloud – to provide coordinated detection, investigation, and remediation capabilities.</p>
<h2>Where it all starts: A poisoned code library</h2>
<p>The attackers inserted malicious code into <em>SolarWinds.Orion.Core.BusinessLayer.dll</em>, a code library belonging to the SolarWinds Orion Platform. The attackers had to find a suitable place in this DLL component to insert their code. Ideally, they would choose a place in a method that gets invoked periodically, ensuring both execution and persistence, so that the malicious code is guaranteed to be always up and running. Such a suitable location turns out to be a method named <em>RefreshInternal</em>.</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92424" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig2-infected-method.png" alt="Screenshot of code of DLL with inserted code" width="624" height="352" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig2-infected-method.png 624w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig2-infected-method-300x169.png 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig2-infected-method-539x303.png 539w" sizes="(max-width: 624px) 100vw, 624px" /></p>
<p style="text-align: center;"><em>Figure 2: The method infected with the bootstrapper for the backdoor</em></p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92425" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig3-original-method.png" alt="Screenshot of original code of DLL" width="624" height="208" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig3-original-method.png 624w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig3-original-method-300x100.png 300w" sizes="(max-width: 624px) 100vw, 624px" /></p>
<p style="text-align: center;"><em>Figure 3: What the original method looks like</em></p>
<p>The modification to this function is very lightweight and could be easily overlooked—all it does is to execute the method <em>OrionImprovementBusinessLayer.Initialize</em> within a parallel thread, so that the normal execution flow of <em>RefreshInternal</em> is not altered.</p>
<p>Why was this method chosen rather than other ones? A quick look at the architecture of this DLL shows that <em>RefreshInternal</em> is part of the class <em>SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager</em> and is invoked by a sequence of methods that can be traced back to the <em>CoreBusinessLayerPlugin</em> class. The purpose of this class, which initiates its execution with a method named <em>Start </em>(likely at an early stage when the DLL is loaded), is to initialize various other components and schedule the execution of several tasks. Among those tasks is <em>Background Inventory</em>, which ultimately starts the malicious code.</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92426" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig4-malicious-code-parallel-thread.png" alt="Screenshot of DLL execution flow showing inserted code running within a parallel thread" width="624" height="333" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig4-malicious-code-parallel-thread.png 624w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig4-malicious-code-parallel-thread-300x160.png 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig4-malicious-code-parallel-thread-389x209.png 389w" sizes="(max-width: 624px) 100vw, 624px" /></p>
<p style="text-align: center;"><em>Figure 4. The inserted malicious code runs within a parallel thread </em></p>
<p>The functionality of the backdoor resides entirely in the class <em>OrionImprovementBusinessLayer</em>, comprising 13 subclasses and 16 methods. Its name blends in with the rest of the legitimate code. The threat actors were savvy enough to avoid give-away terminology like “backdoor”, “keylogger”, etc., and instead opted for a more neutral jargon. At first glance, the code in this DLL looks normal and doesn’t raise suspicions, which could be part of the reason why the insertion of malicious code was undetected for months, especially if the code for this DLL was not frequently updated.</p>
<p>To have some minimal form of obfuscation from prying eyes, the strings in the backdoor are compressed and encoded in Base64, or their hashes are used instead.</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92427" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig5-obfuscated-strings.png" alt="Screenshot of malware code with obfuscated strings" width="624" height="215" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig5-obfuscated-strings.png 624w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig5-obfuscated-strings-300x103.png 300w" sizes="(max-width: 624px) 100vw, 624px" /></p>
<p style="text-align: center;"><em>Figure 5: Example of obfuscated strings</em></p>
<h2>Initial reconnaissance</h2>
<p>The <em>Initialize</em> method is the de facto execution entry point of the backdoor. It carries out several checks to verify that it is running in a real victim’s environment:</p>
<ul>
<li>It verifies that the process hosting the malicious DLL is named <em>solarwinds.businesslayerhost.exe</em></li>
<li>It checks that the last write-time of the malicious DLL is at least 12 to 14 days earlier</li>
<li>It delays execution by random amounts of time</li>
<li>It verifies that the domain name of the current device meets the following conditions:
<ul>
<li>The domain must not contain certain strings; the check for these strings is implemented via hashes, so at this time the domain names that are block-listed are unknown</li>
<li>The domain must not contain “solarwinds”</li>
<li>The domain must not match the regular expression <em>(?i)([^a-z]|^)(test)([^a-z]|$)</em>, or in simpler terms, it must not look like a test domain</li>
</ul>
</li>
<li>It checks that there are no running processes related to security-related software (e.g., <em>Windbg</em>, <em>Autoruns</em>, <em>Wireshark</em>)</li>
<li>It checks that there are no drivers loaded from security-related software (e.g., <em>groundling32.sys</em>)</li>
<li>It checks that the status of certain services belonging to security-related software meets certain conditions (e.g., <em>windefend</em>, <em>sense</em>, <em>cavp</em>)</li>
<li>It checks that the host “api.solarwinds.com” resolves to an expected IP address</li>
</ul>
<p>If any of these checks fail, the backdoor terminates. All these inspections are carried out to avoid exposing the malicious functionality to unwanted environments, such as test networks or machines belonging to SolarWinds.</p>
<h2>The backdoor</h2>
<p>After the extensive validation described above, the backdoor enters its main execution stage. At its core, the backdoor is a very standard one that receives instructions from the C2 server, executes those instructions, and sends back information. The type of commands that can be executed range from manipulating of registry keys, to creating processes, and deleting files, etc., effectively providing the attackers with full access to the device, especially since it’s executing from a trusted, signed binary.</p>
<p>In its first step, the backdoor initiates a connection to a predefined C2 server to report some basic information about the compromised system and receive the first commands. The C2 domain is composed of four different parts: three come from strings that are hardcoded in the backdoor, and one component is generated dynamically based on some unique information extracted from the device. This means that every affected device generates a different subdomain to contact (and possibly more than one). Here’s an example of a generated domain:</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92428" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig6-Dynamically-generated-C2-domain.png" alt="Image showing components of dynamically generated C2 domain" width="624" height="217" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig6-Dynamically-generated-C2-domain.png 624w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig6-Dynamically-generated-C2-domain-300x104.png 300w" sizes="(max-width: 624px) 100vw, 624px" /></p>
<p style="text-align: center;"><em>Figure 6: Dynamically generated C2 domain</em></p>
<p>The dynamically generated portion of the domain is the interesting part. It is computed by hashing the following data:</p>
<ul>
<li>The physical address of the network interface</li>
<li>The domain name of the device</li>
<li>The content of the <em>MachineGuid</em> registry value from the key <em>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography</em></li>
</ul>
<p>The backdoor also generates a pseudo-random URI that is requested on the C2 domain. Like the domain, the URI is composed using a set of hardcoded keywords and paths, which are chosen partly at random and partly based on the type of HTTP request that is being sent out. Possible URIs that can be generated follow these formats:</p>
<ul>
<li>pki/crl/&lt;<em>random components</em>&gt;.crl, where &lt;<em>random components</em>&gt; can be numbers and one of the following strings:
<ul>
<li>&#8220;-root&#8221;</li>
<li>&#8220;-cert&#8221;</li>
<li>&#8220;-universal_ca&#8221;</li>
<li>&#8220;-ca&#8221;</li>
<li>&#8220;-primary_ca&#8221;</li>
<li>&#8220;-timestamp&#8221;</li>
<li>&#8220;-global&#8221;</li>
<li>&#8220;-secureca&#8221;</li>
</ul>
</li>
<li>fonts/woff/&lt;<em>random components</em>&gt;-webfont&lt;<em>random component</em>&gt;.woff2 or fonts/woff/&lt;<em>random components</em>&gt;.woff2, where the &lt;<em>random components</em>&gt; can be numbers and one or more of the following strings:
<ul>
<li>&#8220;Bold&#8221;</li>
<li>&#8220;BoldItalic&#8221;</li>
<li>&#8220;ExtraBold&#8221;</li>
<li>&#8220;ExtraBoldItalic&#8221;</li>
<li>&#8220;Italic&#8221;,</li>
<li>&#8220;Light&#8221;</li>
<li>&#8220;LightItalic&#8221;</li>
<li>&#8220;Regular&#8221;</li>
<li>&#8220;SemiBold&#8221;</li>
<li>&#8220;SemiBoldItalic&#8221;</li>
<li>&#8220;opensans&#8221;</li>
<li>&#8220;noto&#8221;</li>
<li>&#8220;freefont&#8221;</li>
<li>&#8220;SourceCodePro&#8221;</li>
<li>&#8220;SourceSerifPro&#8221;</li>
<li>&#8220;SourceHanSans&#8221;</li>
<li>&#8220;SourceHanSerif&#8221;</li>
</ul>
</li>
<li>swip/upd/&lt;<em>random components</em>&gt;, where &lt;<em>random components</em>&gt; can be one or more of the following strings:
<ul>
<li>“SolarWinds”</li>
<li>“.CortexPlugin”</li>
<li>“.Orion”</li>
<li>&#8220;Wireless&#8221;</li>
<li>&#8220;UI&#8221;</li>
<li>&#8220;Widgets&#8221;</li>
<li>&#8220;NPM&#8221;</li>
<li>&#8220;Apollo&#8221;</li>
<li>&#8220;CloudMonitoring&#8221;</li>
<li>&#8220;Nodes&#8221;,</li>
<li>&#8220;Volumes&#8221;,</li>
<li>&#8220;Interfaces&#8221;,</li>
<li>&#8220;Components”</li>
</ul>
</li>
<li>swip/Upload.ashx</li>
<li>swip/Events</li>
</ul>
<p>Here are examples of final URLs generated by the backdoor:</p>
<ul>
<li><em>hxxps://3mu76044hgf7shjf[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com /swip/upd/Orion[.]Wireless[.]xml</em></li>
<li><em>hxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-2[.]avsvmcloud[.]com /pki/crl/492-ca[.]crl</em></li>
<li><em>hxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-1[.]avsvmcloud[.]com /fonts/woff/6047-freefont-ExtraBold[.]woff2</em></li>
</ul>
<p>Finally, the backdoor composes a JSON document into which it adds the unique user ID described earlier, a session ID, and a set of other non-relevant data fields. It then sends this JSON document to the C2 server.</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92429" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig7-Data-generated-by-malware.png" alt="Screenshot of data generated by malware" width="384" height="351" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig7-Data-generated-by-malware.png 384w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig7-Data-generated-by-malware-300x274.png 300w" sizes="(max-width: 384px) 100vw, 384px" /></p>
<p style="text-align: center;"><em>Figure 7: Example of data generated by the malware</em></p>
<p>If the communication is successful, the C2 responds with an encoded, compressed buffer of data containing commands for the backdoor to execute. The C2 might also respond with information about an additional C2 address to report to. The backdoor accepts the following commands:</p>
<ul>
<li>Idle</li>
<li>Exit</li>
<li>SetTime</li>
<li>CollectSystemDescription</li>
<li>UploadSystemDescription</li>
<li>RunTask</li>
<li>GetProcessByDescription</li>
<li>KillTask</li>
<li>GetFileSystemEntries</li>
<li>WriteFile</li>
<li>FileExists</li>
<li>DeleteFile</li>
<li>GetFileHash</li>
<li>ReadRegistryValue</li>
<li>SetRegistryValue</li>
<li>DeleteRegistryValue</li>
<li>GetRegistrySubKeyAndValueNames</li>
<li>Reboot</li>
<li>None</li>
</ul>
<p>In a nutshell, these commands allow the attackers to run, stop, and enumerate processes; read, write, and enumerate files and registry keys; collect and upload information about the device; and restart the device, wait, or exit. The command <em>CollectSystemDescription</em> retrieves the following information:</p>
<ul>
<li>Local Computer Domain name</li>
<li>Administrator Account SID</li>
<li>HostName</li>
<li>Username</li>
<li>OS Version</li>
<li>System Directory</li>
<li>Device uptime</li>
<li>Information about the network interfaces</li>
</ul>
<h2>Resulting hands-on-keyboard attack</h2>
<p>Once backdoor access is obtained, the attackers follow the standard playbook of privilege escalation exploration, credential theft, and lateral movement hunting for high-value accounts and assets. To avoid detection, attackers renamed Windows administrative tools like <em>adfind.exe</em> which were then used for domain enumeration.</p>
<p style="padding-left: 40px;">C:\Windows\system32\cmd.exe /C csrss.exe -h breached.contoso.com -f (name=&#8221;Domain Admins&#8221;) member -list | csrss.exe -h breached.contoso.com -f objectcategory=* &gt; .\Mod\mod1.log</p>
<p>Lateral movement was observed via PowerShell remote task creation, as detailed by <a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">FireEye</a> and <a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">Volexity</a>:</p>
<p style="padding-left: 40px;">$scheduler = New-Object -ComObject (&#8220;Schedule.Service&#8221;);$scheduler.Connect($env:COMPUTERNAME);$folder = $scheduler.GetFolder(&#8220;\Microsoft\Windows\SoftwareProtectionPlatform&#8221;);$task = $folder.GetTask(&#8220;EventCacheManager&#8221;);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = &#8220;PT0S&#8221;;$folder.RegisterTaskDefinition($task.Name,$definition,6,&#8221;System&#8221;,$null,5);echo &#8220;Done&#8221; C:\Windows\system32\cmd.exe /C schtasks /create /F /tn &#8220;\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager&#8221; /tr &#8220;C:\Windows\SoftwareDistribution\EventCacheManager.exe&#8221; /sc ONSTART /ru system /S [machine_name]</p>
<p>Persistence is achieved via backdoors deployed via various techniques:</p>
<ol>
<li>PowerShell:</li>
</ol>
<p style="padding-left: 80px;">Powershell -nop -exec bypass -EncodedCommand</p>
<p style="padding-left: 40px;">The –EncodedCommand, once decoded, would resemble:</p>
<p style="padding-left: 80px;">Invoke-WMIMethod win32_process -name create -argumentlist &#8216;rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs&#8217; -ComputerName WORKSTATION</p>
<ol start="2">
<li>Rundll32:</li>
</ol>
<p style="padding-left: 80px;">C:\Windows\System32\rundll32.exe C:\Windows\Microsoft.NET\Framework64\[malicious .dll file], [various exports]</p>
<p style="padding-left: 40px;">With Rundll32, each compromised device receives a unique binary hash, unique local filesystem path, pseudo-unique export, and unique C2 domain.</p>
<p>The backdoor also allows the attackers to deliver second-stage payloads, which are part of the Cobalt Strike software suite. We continue to investigate these payloads, which are detected as Trojan:Win32/Solorigate.A!dha, as the situation continues to unfold.</p>
<h2>Microsoft Defender for Endpoint product and hardening guidance</h2>
<p><a href="https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf">Supply chain compromise</a> continues to be a growing concern in the security industry. The Solorigate incident is a grave reminder that these kinds of attacks can achieve the harmful combination of widespread impact and deep consequences for successfully compromised networks. We continue to <a href="https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/">urge customers to</a>:</p>
<ul>
<li>Isolate and investigate devices where these malicious binaries have been detected</li>
<li>Identify accounts that have been used on the affected device and consider them compromised</li>
<li>Investigate how those endpoints might have been compromised</li>
<li>Investigate the timeline of device compromise for indications of lateral movement</li>
</ul>
<p>Hardening networks by reducing attack surfaces and building strong preventative protection are baseline requirements for defending organizations. On top of that, comprehensive visibility into system and network activities drive the early detection of anomalous behaviors and potential signs of compromise. More importantly, the ability to correlate signals through AI could surface more evasive attacker activity.</p>
<p><a href="https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender">Microsoft Defender for Endpoint</a> has comprehensive detection coverage across the Solorigate attack chain. These detections raise alerts that inform security operations teams about the presence of activities and artifacts related to this incident. Given that this attack involves the compromise of legitimate software, automatic remediation is not enabled to prevent service interruption. The detections, however, provide visibility into the attack activity. Analysts can then use investigation and remediation tools in Microsoft Defender Endpoint to perform deep investigation and additional hunting.</p>
<p><a href="https://www.microsoft.com/en-us/security/business/threat-protection/integrated-threat-protection">Microsoft 365 Defender</a> provides visibility beyond endpoints by consolidating threat data from across domains – identities, data, cloud apps, as well as endpoints – delivering coordinated defense against this threat. This cross-domain visibility allows Microsoft 365 Defender to correlate signals and comprehensively resolve whole attack chains. Security operations teams can then hunt using this rich threat data and gain insights for hardening networks from compromise.</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92430" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig8-Solorigate-attack-chain-solutions.png" alt="Solorigate attack chain diagram" width="1566" height="1117" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig8-Solorigate-attack-chain-solutions.png 1566w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig8-Solorigate-attack-chain-solutions-300x214.png 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig8-Solorigate-attack-chain-solutions-1024x730.png 1024w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig8-Solorigate-attack-chain-solutions-768x548.png 768w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig8-Solorigate-attack-chain-solutions-1536x1096.png 1536w" sizes="(max-width: 1566px) 100vw, 1566px" /></p>
<p style="text-align: center;"><em>Figure 8. Microsoft Defender for Endpoint detections across the Solorigate attack chain</em></p>
<p>Several Microsoft Defender for Endpoint capabilities are relevant to the Solorigate attack:</p>
<h3>Next generation protection</h3>
<p>Microsoft Defender Antivirus, the default antimalware solution on Windows 10, <a href="https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/">detects and blocks</a> the malicious DLL and its behaviors. It quarantines malware, even if the process is running.</p>
<p>Detection for backdoored SolarWinds.Orion.Core.BusinessLayer.dll files:</p>
<ul>
<li><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.BR!dha">Trojan:MSIL/Solorigate.BR!dha</a></li>
</ul>
<p>Detection for Cobalt Strike fragments in process memory and stops the process:</p>
<ul>
<li><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Solorigate.A!dha&amp;threatId=-2147196107">Trojan:Win32/Solorigate.A!dha</a></li>
<li><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/Solorigate.A!dha&amp;threatId=-2147196108">Behavior:Win32/Solorigate.A!dha</a></li>
</ul>
<p>Detection for the second-stage payload, a cobalt strike beacon that might connect to infinitysoftwares[.]com.</p>
<ul>
<li><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Solorigate.SA!dha">Trojan:Win64/Solorigate.SA!dha</a></li>
</ul>
<p>Detection for the PowerShell payload that grabs hashes and SolarWinds passwords from the database along with machine information:</p>
<ul>
<li><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:PowerShell/Solorigate.H!dha&amp;threatId=-2147196089">Trojan:PowerShell/Solorigate.H!dha</a></li>
</ul>
<p><img class="alignnone size-full wp-image-92431" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig9-MDE-prevented-malicious-binaries.png" alt="Screenshot of Microsoft Defender Security Center alert of Solorigate malware being prevented" width="1850" height="978" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig9-MDE-prevented-malicious-binaries.png 1850w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig9-MDE-prevented-malicious-binaries-300x159.png 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig9-MDE-prevented-malicious-binaries-1024x541.png 1024w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig9-MDE-prevented-malicious-binaries-768x406.png 768w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig9-MDE-prevented-malicious-binaries-1536x812.png 1536w" sizes="(max-width: 1850px) 100vw, 1850px" /></p>
<p style="text-align: center;"><em>Figure 9. Microsoft Defender for Endpoint prevented malicious binaries</em></p>
<h3>Endpoint detection and response (EDR)</h3>
<p>Alerts with the following titles in the Microsoft Defender Security Center and Microsoft 365 security center can indicate threat activity on your network:</p>
<ul>
<li>SolarWinds Malicious binaries associated with a supply chain attack</li>
<li>SolarWinds Compromised binaries associated with a supply chain attack</li>
<li>Network traffic to domains associated with a supply chain attack</li>
</ul>
<p>Alerts with the following titles in the Microsoft Defender Security Center and Microsoft 365 security center can indicate the possibility that the threat activity in this report occurred or might occur later. These alerts can also be associated with other malicious threats.</p>
<ul>
<li>ADFS private key extraction attempt</li>
<li>Masquerading Active Directory exploration tool</li>
<li>Suspicious mailbox export or access modification</li>
<li>Possible attempt to access ADFS key material</li>
<li>Suspicious ADFS adapter process created</li>
</ul>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92432" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig10-Microsoft-Defender-Endpoint-LDAP-query.png" alt="Screenshot of Microsoft Defender Security Center alert of ADFS private key extraction attempt" width="2173" height="1298" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig10-Microsoft-Defender-Endpoint-LDAP-query.png 2173w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig10-Microsoft-Defender-Endpoint-LDAP-query-300x179.png 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig10-Microsoft-Defender-Endpoint-LDAP-query-1024x612.png 1024w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig10-Microsoft-Defender-Endpoint-LDAP-query-768x459.png 768w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig10-Microsoft-Defender-Endpoint-LDAP-query-1536x918.png 1536w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig10-Microsoft-Defender-Endpoint-LDAP-query-2048x1223.png 2048w" sizes="(max-width: 2173px) 100vw, 2173px" /></p>
<p style="text-align: center;"><em>Figure 10. Microsoft Defender for Endpoint detections of suspicious LDAP query being launched and attempted ADFS private key extraction</em></p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92439" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig11-2-ADFS-key-material.png" alt="Screenshot of Microsoft Defender Security Center alert of Possible attempt to access ADFS key material" width="864" height="849" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig11-2-ADFS-key-material.png 864w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig11-2-ADFS-key-material-300x295.png 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig11-2-ADFS-key-material-768x755.png 768w" sizes="(max-width: 864px) 100vw, 864px" /></p>
<p style="text-align: center;"><em>Figure 11. Microsoft Defender for Endpoint alert description and recommended actions for possible attempt to access ADFS key material</em></p>
<p>Our ability to deliver these protections through our security technologies is backed by our security experts who immediately investigated this attack and continue to look into the incident as it develops. Careful monitoring by experts is critical in this case because we’re dealing with a highly motivated and highly sophisticated threat actor. In the same way that our products integrate with each other to consolidate and correlate signals, security experts and threat researchers across Microsoft are working together to address this advanced attack and ensure our customers are protected.</p>
<h3>Threat analytics report</h3>
<p>We published a comprehensive <a href="https://techcommunity.microsoft.com/t5/microsoft-365-defender/new-threat-analytics-report-shares-the-latest-intelligence-on/ba-p/2001095">threat analytics</a> report on this incident. Threat analytics reports provide technical information, detection details, and recommended mitigations designed to empower defenders to understand attacks, assess its impact, and review defenses.</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92442" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig12-Threat-analytics-solorigate-2.jpg" alt="Screenshot of Threat Analytics report for Solorigate in Microsoft Defender Security Center" width="1619" height="895" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig12-Threat-analytics-solorigate-2.jpg 1619w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig12-Threat-analytics-solorigate-2-300x166.jpg 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig12-Threat-analytics-solorigate-2-1024x566.jpg 1024w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig12-Threat-analytics-solorigate-2-768x425.jpg 768w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig12-Threat-analytics-solorigate-2-1536x849.jpg 1536w" sizes="(max-width: 1619px) 100vw, 1619px" /></p>
<p style="text-align: center;"><em>Figure 12. Threat analytics report on the Solorigate attack</em></p>
<h3>Advanced hunting</h3>
<p>Microsoft 365 Defender and Microsoft Defender for Endpoint customers can run advanced hunting queries to hunt for similar TTPs used in this attack.</p>
<h4>Malicious DLLs loaded into memory</h4>
<p>To locate the presence or distribution of malicious DLLs loaded into memory, <a href="https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAE2XzQ7sNAyFs0biHa7uCiQWadL8LZFAAokdT5A0DdwFXAkQbHh4nM_uMBp1pm0S2zk-Ps585273t_vkLvn90f3muvtF7n5yn-Vuuu9l7Ha_u7_cn-6D-9J94f6V33_cr_L2D7k-uJ_dD-5bd8jdJ5n3wX3lPrrisnxO512Sq7oh47e8LfLc5C7JWOX5EC_JRXvf5Zo8RVmzWHVLZB_dN3JNeY5ib8jdtrQ9JBkN8hvls8RmFRuXzIn422-bzFmypsvqInNvecpEqFYPViyZeVis6jcy58LmjnbbGLI-ifeL6E88L_neMXR8PbHezNz-olgJYjnLuyafJe87cev7yP1emey72Pz9W_FZzWqW1VM-Vd4NGb_Y1SXXkhU3Ngv7TzK-PW_MTuwn9r_tphfCajWw405ce1eHfKbMPNirZ6yTidPWVr53fvdok0tz4dmvWh3idWDzBLFBdF7ug_x2spJZvSOrhuNiN0PWDL5vcrvRfrKV8aORDVkd5NqIePi6x_f9AusIFgEfJ9Yned3IbozLi1mV2VXmbbQnVvauh0SgbNiYLJiQ5HnAt0Lu9sxGvgdxNbOq3JsyuvNwwrELT09MaqGCeYSbHdZOq5SBtb3TJnPU6gUnCnhV8PasU4buCE84kfE42fEie4NZlSwoE3bNPRx4omi2021ryQrNqY5FYps8L7BqoF3gVoTNmew-VjfuWWztGCtVcpOHm5Wbq5HsX3Kv-ZuwalEpHS5eeNw5f6xuTHVvg0g91g6qp1OJB_hsmxrjoLZ2rCf6k8hFgZX_V-zBngocGWhRA7ELD1rfjfg8czSXO-oA7nt-t4yo1cVoQks8fFpYUyVRP5VVk5wltHLBlQWyASVTBu5YvxaN_Sza-yhvQAnf1Tfy7oA_FYZ6ailg68TLZuSNJm2NO8nB3s9tvJz8emo1oCrT6uE0nG5wbNSrZzyDaHnxVBV_ksMMkwoYdfjbiaeT6_nS0cN8FKI4iPAmwkAlTusQuidPTJWIDlhVqaf5UvfHWzJlb4w2U0fldyKaTPyTPVciiLwf9JWG5YKtiO5War4aRoU4VZEXmK03hd21p95UETcnM4qU4G2BxQGGdbwm0GrYG3x7Lk_-TubvHqe1l0BLu4VnteJ7wcRpUXTT1mCcu19KoLM92b9h4IVuV1C-rP5VZya6n9HlgWZm8A62n0k2NIeP-h7caxTaMTx4dupi8HuA4-ITqMJCbRWsTdYcxBLY7WUafbH7br0rMl7I1wkfGpo4WB3fVNRj8cRHpCKi-Uvo3039LdOMhV19Hqigcvokf5oFz24atXTDMe3-nbXap1XhywuLhbdCLqZpWiZzlfyqtmU7vzQwT6hopCdoBx6vU08Gha26jT1pP0_UUcd2gh0JZB52aie9qZYIut7i1S6vyHX8NOvZt0UdiSoYDyaR3RbXQgW00gYVtq0qnzI-jxc7lX_RunuioiMRqcKcMGuASICFjy4-3WmBi0eXOoqR7fmmdhRfVZlJZJkaXm89O5DdEwxvbEyr1GrnNtWmQe-57MSZQLBbpzis4w5yFfHeYMhBfaseelipfT4Rc3yr1Aj_Bva0V2vffphwma3CvADWJ-jrqe0gxhPGLTsTVfI0resNY2_ihKh9W09hTxQNNKZV3UStD8vqwwbtlsn6xYntaZqovPOmbZ4a0j7wKGUwfydRLJis_WbX5oOFKrpHYTJYBXDQk0hnX82y6MnaoFsW6x16hjzYQTVF1ZP3MCs3kTbQ015esLY9PafZar3iYvfKm8KuFkhqB59wJ7OPBmqqTXpeV96drAh0Fu2xep9NfwYM0v8di7zkl2pd5DG8VLahcTu7l3WZC72YpuKnxR1hWqc7-df5--RzmTqexkhP1Rx2IlGVrFTLc6ZZ2J_sVpkc0Kli1RTAJ8PPZXOUsXrCjm-9JZteTztBXPZPrdjZVnei_7cqu91noP8A9D6a0LYOAAA&amp;runQuery=true&amp;timeRangeId=week">run the following query</a></p>
<p style="padding-left: 40px;">DeviceImageLoadEvents | where SHA1 in (&#8220;d130bd75645c2433f88ac03e73395fba172ef676&#8243;,&#8221;1acf3108bf1e376c8848fbb25dc87424f2c2a39c&#8221;,&#8221;e257236206e99f5a5c62035c9c59c57206728b28&#8243;,&#8221;6fdd82b7ca1c1f0ec67c05b36d14c9517065353b&#8221;,&#8221;2f1a5a7411d015d01aaee4535835400191645023&#8243;,&#8221;bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387&#8243;,&#8221;16505d0b929d80ad1680f993c02954cfd3772207&#8243;,&#8221;d8938528d68aabe1e31df485eb3f75c8a925b5d9&#8243;,&#8221;395da6d4f3c890295f7584132ea73d759bd9d094&#8243;,&#8221;c8b7f28230ea8fbf441c64fdd3feeba88607069e&#8221;,&#8221;2841391dfbffa02341333dd34f5298071730366a&#8221;,&#8221;2546b0e82aecfe987c318c7ad1d00f9fa11cd305&#8243;,&#8221;e2152737bed988c0939c900037890d1244d9a30e&#8221;) or SHA256 in (&#8220;ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6&#8243;,&#8221;dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b&#8221;,&#8221;eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed&#8221;,&#8221;ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c&#8221;,&#8221;019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134&#8243;,&#8221;c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77&#8243;,&#8221;0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589&#8243;,&#8221;e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d&#8221;,&#8221;20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9&#8243;,&#8221;2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d&#8221;,&#8221;a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d&#8221;,&#8221;92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690&#8243;,&#8221;a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2&#8243;,&#8221;cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6&#8243;)</p>
<h4>Malicious DLLs created in the system or locally</h4>
<p>To locate the presence or distribution of malicious DLLs created in the system or locally, <a href="https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAE2Xy87tNAyFO0biHX6dEUgM0twzRALEnCdImkYc6QgkQDDh4XE-u5utqru3xHaWl5ezfzju4-_j83HJ9Se5fpHrj_LmPn47_jr-PD6Or4-vjn_l-s_xq7z9Q86P45fj5-P745S7zzLu4_jm-HSUI8sRD3ckOesx5Pstb4s8N7lL8q3yfB5dnoK973JOnoLMWcy6JZ5Px3dyTnkOYm_I3ba0PST56uUa5Fhis4qNS8YE_O23TcYsmdNldpGxtzxlIlSrJzOWjDwtVvUbGHNhc0e7bQyZn8T7RfQRz0t-dwwdX0-sNyO3vyBWvFjO8q7JseR9J259H7jfM5P9Fhu_rxWf1axmmT3lqPJuyPeLVV1yLplxY7Ow_iTft-eNWcR-Yv3bbnohrFY9K-7EtVd1yjFl5MlaHd86mYg2t_K787u_Njk1F471qtUhXgc2I4gNonNy7-XayUpm9o6sGo6L1QyZM_i9ye1G-8lWxo9GNmS2l3Mj4sTm5Pu-X2AdwMLjI2J9kteN7Ma4vJhVGV1l3EZ7YmWvekgEyoaNyYIJSZ4HfCvkbo9s5HsQVzOryr0pX3ceIhy78PTEpBYqmAe42WHttEoZWNsrbTJGrV5wooBXBW_HPGXojjDCiYzHyYoX2RuMqmRBmbBr7uHAE0WzlW5bS2ZoTvVbILbJ8wKrBtoFbgXYnMnuY3XjnsXWjrFSJTd5uJm5uRrI_iX3mr8JqxaV0uHihced88fqxlTXNojUYe2kejqVeILPtqkxDmprxxrRn0QuCqz8v2JP1lTgyECLGohdeND6bsTnGKO53FF7cN_ju2VErS6-JrTEwaeFNVUS9VOZNclZQisXXFkg61EyZeCO9VvR2N9Fex_l9Sjhu_oG3p3wp8JQRy15bEW8bEbeaNLWuEgO9npu4-Xk6qhVj6pMq4doON3g2KhXx_cMouXFU1X8SQ4zTCpg1OFvJ55OrudLR0_zUYjiJMKbCD2VOK1D6JocMVUiOmFVpZ7mS90fb8mUvfG1mToqvxPRZOKfrLkSQeD9oK80LBdsBXS3UvPVMCrEqYq8wGy9KeyuPfWmirg5mVGkBG8LLPYwrOM1gVbD3uDXcTryFxm_e5zWXgIt7RaO2YrvBROnRdFNW71x7n4pgY52ZP-GgRe6XUH5svpXnZnofkaXB5qZwdvbeibZ0Bw-6ntyr1Fox3Dg2amLwfUEx8XhqcJCbRWsTeacxOJZ7WUafbH6br0r8L2QrwgfGpo4mB3eVNRhMeIjUBHB_CX076b-lmnGwq4-D1RQOR3Jn2bBsZpGLd1wTLt_Z672aVX48sJi4a2Qi2malslcJb-qbdn2Lw3MEyoa6Anagcdr15NBYatuY03azxN11LGdYEcCmYed2klvqiWArrN4tcsrch0_zXr2bVEHovLGg0lkt8W1UAGttEGFbavKp4zP88VO5V-w7p6o6EBEqjARZg0Q8bDw0cWnOy1wcehSRzGyPd_UjuKrKjOJLFPD661ne7IbwfDGxrRKrbZvU20a9J7LdpwJBLt1itM67iBXAe8NhpzUt-qhg5Xa5xMxh7dKDfBvYE97tfbthwmX2SqM82AdQV93bScxRhi3bE9UydO0rjeMvYkdovZt3YU9UTTQmFZ1E7U-LasPG7RbJusXEdvTNFF550zbHDWkfeBRSm_-IlEsmKz9Ztfmg4UqukNhMlh5cNCdSGddzbLoyNqgWxbrHbqHPFlBNUXVnfcwKzeRNtDTXl6wtj09u9lqveJi9cqbwqoWSGoHn3Ans44GaqpNul9X3kVmeDqL9li9z6Y_Awbp_45FXvJLtS7y6F8q29C4nd3LusyFXkxT8WhxB5jW6U7utf-OHJepYzRGOqrmtB2JqmSlWp49zcL-ZLXKZI9OFasmDz4Zfi4bo4zVHXZ46y3Z9HraDuKyf2rF9ra6Ev2_VVnt3gP9B3GMOb2sDgAA&amp;runQuery=true&amp;timeRangeId=week">run the following query</a></p>
<p style="padding-left: 40px;">DeviceFileEvents | where SHA1 in (&#8220;d130bd75645c2433f88ac03e73395fba172ef676&#8243;,&#8221;1acf3108bf1e376c8848fbb25dc87424f2c2a39c&#8221;,&#8221;e257236206e99f5a5c62035c9c59c57206728b28&#8243;,&#8221;6fdd82b7ca1c1f0ec67c05b36d14c9517065353b&#8221;,&#8221;2f1a5a7411d015d01aaee4535835400191645023&#8243;,&#8221;bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387&#8243;,&#8221;16505d0b929d80ad1680f993c02954cfd3772207&#8243;,&#8221;d8938528d68aabe1e31df485eb3f75c8a925b5d9&#8243;,&#8221;395da6d4f3c890295f7584132ea73d759bd9d094&#8243;,&#8221;c8b7f28230ea8fbf441c64fdd3feeba88607069e&#8221;,&#8221;2841391dfbffa02341333dd34f5298071730366a&#8221;,&#8221;2546b0e82aecfe987c318c7ad1d00f9fa11cd305&#8243;,&#8221;e2152737bed988c0939c900037890d1244d9a30e&#8221;) or SHA256 in (&#8220;ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6&#8243;,&#8221;dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b&#8221;,&#8221;eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed&#8221;,&#8221;ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c&#8221;,&#8221;019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134&#8243;,&#8221;c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77&#8243;,&#8221;0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589&#8243;,&#8221;e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d&#8221;,&#8221;20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9&#8243;,&#8221;2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d&#8221;,&#8221;a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d&#8221;,&#8221;92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690&#8243;,&#8221;a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2&#8243;,&#8221;cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6&#8243;)</p>
<h4>SolarWinds processes launching PowerShell with Base64</h4>
<p>To locate SolarWinds processes spawning suspected Base64-encoded PowerShell commands, <a href="https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAK1TXUsCQRQ9z0H_YfHF3VKzkqAHoW8KJIIegkpEdxeVdlV2TO3zt3fu3VHcsloohpm5d-ac-zlzghAT9OFzv0KCoUqG45TnIQYYU17HGl7hYIoezxJOBxe86_O2j7auA3Q_WTjjaUT5kohYOXW8cy3gmqiIpwlulBkQXcERHrmLnvIbRDypv3PiDb1UqM04Cysj-t7fiPyp4oziI46srS0OhznP6CUh3-fuoEPJELOHGjWphk9LAaWAulFsmnnJ3hvmkEYzITfibfDFTqTILtm9RR6heg61Fll8y97No0p91xec-bmLIucdDlHGLc_KeEaV6z42mVsTL9ihXsIbMXXVRdul7pEp8W_rmu3hMeWYo62RNWx3vD_FLTXqZKrn_sqUyKq6upaZVvF3pkeO9Lam0oaV8sQvfV7ut8QuvR3p25UKuThg7e4ZWVrBot2lXg-8b_2Y5bL9FnFD_RGJvvo8eXk2D3m7q_7DgBYFGzPicU6bju10nl7G-vN99WhsbbqKlErMX2KT8n9aTd-0WP0AdbkD_LwEAAA&amp;runQuery=true&amp;timeRangeId=month">run the following query </a></p>
<p style="padding-left: 40px;">DeviceProcessEvents| where InitiatingProcessFileName =~ &#8220;SolarWinds.BusinessLayerHost.exe&#8221;| where FileName =~ &#8220;powershell.exe&#8221;// Extract base64 encoded string, ensure valid base64 length| extend base64_extracted = extract(&#8216;([A-Za-z0-9+/]{20,}[=]{0,3})&#8217;, 1, ProcessCommandLine)| extend base64_extracted = substring(base64_extracted, 0, (strlen(base64_extracted) / 4) * 4)| extend base64_decoded = replace(@&#8217;\0&#8242;, &#8221;, make_string(base64_decode_toarray(base64_extracted)))//| where notempty(base64_extracted) and base64_extracted matches regex &#8216;[A-Z]&#8217; and base64_extracted matches regex &#8216;[0-9]&#8217;</p>
<h4>SolarWinds processes launching CMD with echo</h4>
<p>To locate SolarWinds processes launching CMD with echo,  <a href="https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAG2OSwrCQBBEay14h2EOkBtk4w-FIIIL1yEZzEASIfEL4tl9M3EhITT9requXsnpLq-CfFCnS6x6bM3cqdWVeq6Z3jJ6qGLW4UY7MA_qlcfY6jy6sGFaU-9hNHEn1YdodYRVM-10ipsl7EQL3cihH_YzGK-ot4Xfo5LQPXE7-dGUXhr1Cvryb9vACKpm9PGSusEGNPv9YtDIQcMlB7eCZfUF5AwwqToBAAA&amp;runQuery=true&amp;timeRangeId=month">run the following query </a></p>
<p style="padding-left: 40px;">DeviceProcessEvents| where InitiatingProcessFileName =~ &#8220;SolarWinds.BusinessLayerHost.exe&#8221;| where FileName == &#8220;cmd.exe&#8221; and ProcessCommandLine has &#8220;echo&#8221;</p>
<h4>C2 communications</h4>
<p>To locate DNS lookups to a malicious actor’s domain, <a href="https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAGWOSwrCQBQEay14hyEH0BO4EKJLwc8FghkwEI2YZCTg4S1noQtpHt00Bf1KIomGs74xRW4M9MyZ8SLw5GL38AJrqUG2kzkxcc_tSgUKStuePWPmJw56L9PlPkoElqpkx9H8I8Mf-1mvzHVerVXzXa5o2ZqjXksHP6yyFyxMyZy4-msrP8oUvAEb21tt5gAAAA&amp;runQuery=true&amp;timeRangeId=month">run the following query </a></p>
<p style="padding-left: 40px;">DeviceEvents| where ActionType == &#8220;DnsQueryResponse&#8221; //DNS Query Responseand AdditionalFields has &#8220;.avsvmcloud&#8221;</p>
<p>To locate DNS lookups to a malicious actor’s domain, <a href="https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEALWQPQ6CQBCFX23iHZDGjhvYqYmNMSYegCA_G4E1gEDh4f12KgtLCZmd3TfvZ5e9co1yyuhnatAkr04PHcBztSC9Iq210ps-qQLtqEhX1gb2QL-B1WAZ56BJ8WxNuWU_shvhZnC8XrorMWbD9JfzCa3DxaEdzKnUhZm3e_Z8R9Da7pziEjQb7VhjGJUxA5pQMxX_PaVhmvOOctEUZ85P-2vdokkFk-BSwJ4XzPG8JvikXxkfdzmn1oQCAAA&amp;runQuery=true&amp;timeRangeId=month">run the following query </a></p>
<p style="padding-left: 40px;">DeviceNetworkEvents| where RemoteUrl contains &#8216;avsvmcloud.com&#8217;| where InitiatingProcessFileName != &#8220;chrome.exe&#8221;| where InitiatingProcessFileName != &#8220;msedge.exe&#8221;| where InitiatingProcessFileName != &#8220;iexplore.exe&#8221;| where InitiatingProcessFileName != &#8220;firefox.exe&#8221;| where InitiatingProcessFileName != &#8220;opera.exe&#8221;</p>
<h4>Find SolarWinds Orion software in your enterprise</h4>
<p>To search for Threat and Vulnerability Management data to find SolarWinds Orion software organized by product name and ordered by how many devices the software is installed on, <a href="https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2QywrCMBBF71rwH7pTP8JdN27cKN1KH5EKfUATLYof78lAsYiChGQmd2ZOJpPK6aaLSuwRr9VBvc4KGpVrQN2pQ3ecgciguzJd1XB33HIVVDfswHbySrTUQk_sqNpyHP4nNTNiZcREW1aiFdU9rJgxQotxj_oPb49tLeJRoxbwRuurNnZ86cLZzYien7Ss3GIPq6-YRY8e_7tWOpvP9MaGrII5_O7ize-tkyl_zj59ZcecOMVSL39fnZCaAQAA&amp;runQuery=true&amp;timeRangeId=month">run the following query </a></p>
<p style="padding-left: 40px;">DeviceTvmSoftwareInventoryVulnerabilities| where SoftwareVendor == &#8216;solarwinds&#8217;| where SoftwareName startswith &#8216;orion&#8217;| summarize dcount(DeviceName) by SoftwareName| sort by dcount_DeviceName desc</p>
<h4>ADFS adapter process spawning</h4>
<p style="padding-left: 40px;">DeviceProcessEvents| where InitiatingProcessFileName =~&#8221;Microsoft.IdentityServer.ServiceHost.exe&#8221;| where FileName in~(&#8220;werfault.exe&#8221;, &#8220;csc.exe&#8221;)| where ProcessCommandLine !contains (&#8220;nameId&#8221;)</p>
<p>&nbsp;</p>
<h2>Appendix</h2>
<h3>MITRE ATT&amp;CK techniques observed</h3>
<p>This threat makes use of attacker techniques documented in the <a href="https://attack.mitre.org/">MITRE ATT&amp;CK framework</a>.</p>
<p>Initial Access</p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1195/001/">T1195.001 Supply Chain Compromise</a></p>
<p>Execution</p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1072/">T1072 Software Deployment Tools</a></p>
<p>Command and Control</p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1071/004/">T1071.004 Application Layer Protocol: DNS</a></p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1071/001/">T1017.001 Application Layer Protocol: Web Protocols</a></p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1568/002/">T1568.002 Dynamic Resolution: Domain Generation Algorithms</a></p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1132/">T1132 Data Encoding</a></p>
<p>Persistence</p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1071/001/">T1078 Valid Accounts </a></p>
<p>Defense Evasion</p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1480/001/">T1480.001 Execution Guardrails: Environmental Keying</a></p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1562/001/">T1562.001 Impair Defenses: Disable or Modify Tools</a></p>
<p>Collection</p>
<p style="padding-left: 40px;"><a href="https://attack.mitre.org/techniques/T1005/">T1005 Data From Local System </a></p>
<h3>Additional malware discovered</h3>
<p>In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor. The malware consists of a small persistence backdoor in the form of a DLL file named <em>App_Web_logoimagehandler.ashx.b6031896.dll</em>, which is programmed to allow remote code execution through SolarWinds web application server when installed in the folder “inetpub\SolarWinds\bin\”. Unlike Solorigate, this malicious DLL does not have a digital signature, which suggests that this may be unrelated to the supply chain compromise.  Nonetheless, the infected DLL contains just one method (named <em>DynamicRun</em>), that can receive a C# script from a web request, compile it on the fly, and execute it.</p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92435" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig13-Original-DLL.png" alt="Screenshot of code of the original DLL" width="624" height="286" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig13-Original-DLL.png 624w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig13-Original-DLL-300x138.png 300w" sizes="(max-width: 624px) 100vw, 624px" /></p>
<p style="text-align: center;"><em>Figure 13: Original DLL</em></p>
<p style="text-align: center;"><img class="alignnone size-full wp-image-92436" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig14-Malicious-addition.png" alt="Screenshot of DLL code with inserted malicious code" width="624" height="430" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig14-Malicious-addition.png 624w, https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Fig14-Malicious-addition-300x207.png 300w" sizes="(max-width: 624px) 100vw, 624px" /></p>
<p style="text-align: center;"><em>Figure 14: The malicious addition that calls the DynamicRun method</em></p>
<p>This code provides an attacker the ability to send and execute any arbitrary C# program on the victim’s device. Microsoft Defender Antivirus detects this compromised DLL as Trojan:MSIL/Solorigate.G!dha.</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<hr />
<h3>Talk to us</h3>
<p>Questions, concerns, or insights on this story? Join discussions at the <a href="https://techcommunity.microsoft.com/t5/microsoft-365-defender/bg-p/MicrosoftThreatProtectionBlog">Microsoft 365 Defender tech community</a>.</p>
<p>Read all <a href="https://www.microsoft.com/security/blog/microsoft-security-intelligence/">Microsoft security intelligence blog posts</a>.</p>
<p>Follow us on Twitter <a href="https://twitter.com/MsftSecIntel" target="_blank" rel="noopener noreferrer"><strong>@MsftSecIntel</strong></a>.</p>
	</div><!-- .entry-content -->
</article><!-- #post-## -->

			
					<nav class="c-link-navigation f-align-left custom-link-navigation" aria-labelledby="category-header">
			<h3 id="category-header" class="c-heading">
				Filed under:			</h3>
			<ul class="c-list">
				
				
				<li>
					<a href="https://www.microsoft.com/security/blog/" class="c-hyperlink">
						Cybersecurity					</a>, 				</li>
				
				
				<li>
					<a href="https://www.microsoft.com/security/blog/endpoint-security/" class="c-hyperlink">
						Endpoint security					</a>, 				</li>
				
				
				<li>
					<a href="https://www.microsoft.com/security/blog/incident-response/" class="c-hyperlink">
						Incident response					</a>, 				</li>
				
				
				<li>
					<a href="https://www.microsoft.com/security/blog/microsoft-security-intelligence/" class="c-hyperlink">
						Microsoft security intelligence					</a>				</li>
							</ul>
		</nav>
			</main><!-- #mainContent -->
	</section><!-- .wrap -->

		<div class="related-posts m-product-placement f-app has-heading">
		<h4 class="c-heading c-heading-3">You may also like these articles</h4>		<div class="c-group">
			
	<div data-grid="col-4" class="article-card-wrap">
		<section class="m-content-placement-item f-size-medium article-card sharecount-right">
			
			<div class="featured-image">
				<a href="https://www.microsoft.com/security/blog/2020/12/17/collaborative-innovation-on-display-in-microsofts-insider-risk-management-strategy/">
					<img srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Insider-risk-management-440x268.jpg" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/Insider-risk-management-440x268.jpg" alt="" class="c-image">
					<span class="x-screen-reader">
						Featured image for Collaborative innovation on display in Microsoft’s insider risk management strategy					</span>
				</a>
			</div>

			
	<time class="entry-date published" datetime="2020-12-17T14:00:04-08:00">
		December 17, 2020	</time>


			<h3 class="c-heading">
				<a href="https://www.microsoft.com/security/blog/2020/12/17/collaborative-innovation-on-display-in-microsofts-insider-risk-management-strategy/">Collaborative innovation on display in Microsoft’s insider risk management strategy</a>
			</h3>

							<div class="c-paragraph">
					<a href="https://www.microsoft.com/security/blog/2020/12/17/collaborative-innovation-on-display-in-microsofts-insider-risk-management-strategy/">
						Partnering with organizations like Carnegie Mellon University allows us to bring their rich research and insights to our products and services, so customers can fully benefit from our breadth of signals.  					</a>
				</div>
			
			<a href="https://www.microsoft.com/security/blog/2020/12/17/collaborative-innovation-on-display-in-microsofts-insider-risk-management-strategy/" class="c-call-to-action c-glyph">
				<span>Read more</span>
				<span class="x-screen-reader"> Collaborative innovation on display in Microsoft’s insider risk management strategy</span>
			</a>

		</section>
	</div>


	<div data-grid="col-4" class="article-card-wrap">
		<section class="m-content-placement-item f-size-medium article-card sharecount-right">
			
			<div class="featured-image">
				<a href="https://www.microsoft.com/security/blog/2020/12/17/a-quick-wins-approach-to-securing-azure-active-directory-and-office-365-and-improving-your-security-posture/">
					<img srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/MSC16_slalom_069-440x268.jpg" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/MSC16_slalom_069-440x268.jpg" alt="IT professional at a digital consulting firm." class="c-image">
					<span class="x-screen-reader">
						Featured image for A &#8220;quick wins&#8221; approach to securing Azure Active Directory and Office 365 and improving your security posture					</span>
				</a>
			</div>

			
	<time class="entry-date published" datetime="2020-12-17T13:00:56-08:00">
		December 17, 2020	</time>


			<h3 class="c-heading">
				<a href="https://www.microsoft.com/security/blog/2020/12/17/a-quick-wins-approach-to-securing-azure-active-directory-and-office-365-and-improving-your-security-posture/">A &#8220;quick wins&#8221; approach to securing Azure Active Directory and Office 365 and improving your security posture</a>
			</h3>

							<div class="c-paragraph">
					<a href="https://www.microsoft.com/security/blog/2020/12/17/a-quick-wins-approach-to-securing-azure-active-directory-and-office-365-and-improving-your-security-posture/">
						This blog post will explain simple Microsoft security defaults and Secure Score—two features you should take advantage of that are easy to utilize and can significantly improve security in Azure AD and Office 365 configurations.					</a>
				</div>
			
			<a href="https://www.microsoft.com/security/blog/2020/12/17/a-quick-wins-approach-to-securing-azure-active-directory-and-office-365-and-improving-your-security-posture/" class="c-call-to-action c-glyph">
				<span>Read more</span>
				<span class="x-screen-reader"> A &#8220;quick wins&#8221; approach to securing Azure Active Directory and Office 365 and improving your security posture</span>
			</a>

		</section>
	</div>


	<div data-grid="col-4" class="article-card-wrap">
		<section class="m-content-placement-item f-size-medium article-card sharecount-right">
			
			<div class="featured-image">
				<a href="https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/">
					<img srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/SEC20_Security_036-440x268.jpg" src="https://www.microsoft.com/security/blog/wp-content/uploads/2020/12/SEC20_Security_036-440x268.jpg" alt="Man scanning his finger in a biometric fingerprint reader which will provide him access to a room." class="c-image">
					<span class="x-screen-reader">
						Featured image for A breakthrough year for passwordless technology					</span>
				</a>
			</div>

			
	<time class="entry-date published" datetime="2020-12-17T11:45:27-08:00">
		December 17, 2020	</time>


			<h3 class="c-heading">
				<a href="https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/">A breakthrough year for passwordless technology</a>
			</h3>

							<div class="c-paragraph">
					<a href="https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/">
						Learn how Microsoft and its partners are advancing IAM through secure passwordless access.  					</a>
				</div>
			
			<a href="https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/" class="c-call-to-action c-glyph">
				<span>Read more</span>
				<span class="x-screen-reader"> A breakthrough year for passwordless technology</span>
			</a>

		</section>
	</div>

		</div>
	</div>
	
		<section class="cta-container">
				<aside class="product-cta align-image-right">
			<div>
									<div class="content">

													<h1 class="c-heading c-heading-3">Get started with Microsoft Security</h1>
						
													<div class="c-paragraph">
								<p>Microsoft is a leader in cybersecurity, and we embrace our responsibility to make the world a safer place.</p>
							</div>
						
													<a href="https://www.microsoft.com/en-us/security?wt.mc_id=AID730391_QSG_BLOG_319247&#038;ocid=AID730391_QSG_BLOG_319247" class="c-call-to-action c-glyph">
								<span>Learn more</span>
								<span class="x-screen-reader"> Get started with Microsoft Security</span>
							</a>
											</div>
				
									<div class="image">
						<img width="1024" height="729" src="https://www.microsoft.com/security/blog/wp-content/uploads/2019/02/CTA-feature-1024x729.jpg" class="attachment-large size-large" alt="" srcset="https://www.microsoft.com/security/blog/wp-content/uploads/2019/02/CTA-feature-1024x729.jpg 1024w, https://www.microsoft.com/security/blog/wp-content/uploads/2019/02/CTA-feature-300x214.jpg 300w, https://www.microsoft.com/security/blog/wp-content/uploads/2019/02/CTA-feature-768x547.jpg 768w" sizes="(max-width: 1024px) 100vw, 1024px" />					</div>
							</div>
		</aside>

			</section>
	
	<footer class="site-footer">

		
	<div class="follow-us-banner">
		<div class="wrap" data-grid="container">
			Get all the news, updates, and more at 
	<div class="follow-us-link-container">
		<a class="follow-us-banner-link" href="https://twitter.com/@MSFTSecurity" target="_blank">
			@MSFTSecurity		</a>
		<svg class="icon icon-twitter" aria-hidden="true"><title>twitter</title><use xlink:href="#icon-twitter"></use></svg>	</div>

			</div>
	</div>


		<div class="social-bar">
			<div data-grid="container">
				<div class="c-group f-wrap-items">
									</div>
			</div>
		</div>
	</footer>

	<!-- start universal footer -->
			<div id="footerArea" class="uhf"  data-m='{"cN":"footerArea","cT":"Area_coreuiArea","id":"a2Body","sN":2,"aN":"Body"}'>
                <div id="footerRegion"     data-region-key="footerregion" data-m='{"cN":"footerRegion","cT":"Region_coreui-region","id":"r1a2","sN":1,"aN":"a2"}' >

    <div  id="footerUniversalFooter" data-m='{"cN":"footerUniversalFooter","cT":"Module_coreui-universalfooter","id":"m1r1a2","sN":1,"aN":"r1a2"}'  data-module-id="Category|footerRegion|coreui-region|footerUniversalFooter|coreui-universalfooter">
        



<footer id="uhf-footer" class="c-uhff context-uhf"  data-uhf-mscc-rq="false" data-footer-footprint="/MSSecurity/MSSecurityFooter, fromService: True" data-m='{"cN":"Uhf footer_cont","cT":"Container","id":"c1m1r1a2","sN":1,"aN":"m1r1a2"}'>
        <nav class="c-uhff-nav" aria-label="Footer Resource links" data-m='{"cN":"Footer nav_cont","cT":"Container","id":"c1c1m1r1a2","sN":1,"aN":"c1m1r1a2"}'>
			
                <div class="c-uhff-nav-row">
                        <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn1_cont","cT":"Container","id":"c1c1c1m1r1a2","sN":1,"aN":"c1c1m1r1a2"}'>
                            <div class="c-heading-4" role="heading" aria-level="4">What&#39;s new</div>
                            <ul class="c-list f-bare">
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/surface/devices/surface-duo" data-m='{"cN":"Footer_WhatsNew_SurfaceDuo_nav","id":"n1c1c1c1m1r1a2","sN":1,"aN":"c1c1c1m1r1a2"}'>Surface Duo</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/p/surface-laptop-go/94FC0BDGQ7WV" data-m='{"cN":"Footer_WhatsNew_SurfaceLaptopGo_nav","id":"n2c1c1c1m1r1a2","sN":2,"aN":"c1c1c1m1r1a2"}'>Surface Laptop Go</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/p/surface-pro-x/8QG3BMRHNWHK" data-m='{"cN":"Whatsnew_SurfaceProX_nav","id":"n3c1c1c1m1r1a2","sN":3,"aN":"c1c1c1m1r1a2"}'>Surface Pro X</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/p/surface-go-2/8PT3S2VJMDR6" data-m='{"cN":"Footer_WhatsNew_SurfaceGo_nav","id":"n4c1c1c1m1r1a2","sN":4,"aN":"c1c1c1m1r1a2"}'>Surface Go 2</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/p/surface-book-3/8XBW9G3Z71F1" data-m='{"cN":"Footer_WhatsNew_SurfaceBook3_nav","id":"n5c1c1c1m1r1a2","sN":5,"aN":"c1c1c1m1r1a2"}'>Surface Book 3</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/microsoft-365" data-m='{"cN":"Whatsnew_Microsoft365_nav","id":"n6c1c1c1m1r1a2","sN":6,"aN":"c1c1c1m1r1a2"}'>Microsoft 365</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/windows/windows-10-apps" data-m='{"cN":"Footer_WhatsNew_Windows_10_apps_nav","id":"n7c1c1c1m1r1a2","sN":7,"aN":"c1c1c1m1r1a2"}'>Windows 10 apps</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/hololens" data-m='{"cN":"Footer_WhatsNew_Hololens2_nav","id":"n8c1c1c1m1r1a2","sN":8,"aN":"c1c1c1m1r1a2"}'>HoloLens 2</a>
                                        </li>

                            </ul>
                            
                        </div>
                        <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn2_cont","cT":"Container","id":"c2c1c1m1r1a2","sN":2,"aN":"c1c1m1r1a2"}'>
                            <div class="c-heading-4" role="heading" aria-level="4">Microsoft Store</div>
                            <ul class="c-list f-bare">
                                        <li>
                                            <a class="c-uhff-link" href="https://account.microsoft.com/" data-m='{"cN":"Footer_StoreandSupport_AccountProfile_nav","id":"n1c2c1c1m1r1a2","sN":1,"aN":"c2c1c1m1r1a2"}'>Account profile</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/download" data-m='{"cN":"Footer_StoreandSupport_DownloadCenter_nav","id":"n2c2c1c1m1r1a2","sN":2,"aN":"c2c1c1m1r1a2"}'>Download Center</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://go.microsoft.com/fwlink/?linkid=2139749" data-m='{"cN":"Footer_StoreandSupport_SalesAndSupport_nav","id":"n3c2c1c1m1r1a2","sN":3,"aN":"c2c1c1m1r1a2"}'>Microsoft Store support</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://go.microsoft.com/fwlink/p/?LinkID=824764&amp;clcid=0x409" data-m='{"cN":"MicrosoftStore_ExtendedHolidayReturns_nav","id":"n4c2c1c1m1r1a2","sN":4,"aN":"c2c1c1m1r1a2"}'>Returns</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://account.microsoft.com/orders" data-m='{"cN":"Footer_StoreandSupport_OrderTracking_nav","id":"n5c2c1c1m1r1a2","sN":5,"aN":"c2c1c1m1r1a2"}'>Order tracking</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/store/workshops-training-and-events?icid=vl_uf_932020" data-m='{"cN":"Footer_StoreandSupport_StoreLocations_nav","id":"n6c2c1c1m1r1a2","sN":6,"aN":"c2c1c1m1r1a2"}'>Virtual workshops and training</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/store/b/why-microsoft-store?icid=footer_why-msft-store_7102020" data-m='{"cN":"Footer_StoreandSupport_MicrosoftPromise_nav","id":"n7c2c1c1m1r1a2","sN":7,"aN":"c2c1c1m1r1a2"}'>Microsoft Store Promise</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/store/b/financing?icid=footer_financing_10142020" data-m='{"cN":"Footer_StoreandSupport_Financing_nav","id":"n8c2c1c1m1r1a2","sN":8,"aN":"c2c1c1m1r1a2"}'>Financing</a>
                                        </li>

                            </ul>
                            
                        </div>
                        <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn3_cont","cT":"Container","id":"c3c1c1m1r1a2","sN":3,"aN":"c1c1m1r1a2"}'>
                            <div class="c-heading-4" role="heading" aria-level="4">Education</div>
                            <ul class="c-list f-bare">
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/education" data-m='{"cN":"Footer_Education_MicrosoftInEducation_nav","id":"n1c3c1c1m1r1a2","sN":1,"aN":"c3c1c1m1r1a2"}'>Microsoft in education</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/education/products/office/default.aspx" data-m='{"cN":"Footer_Education_OfficeForStudents_nav","id":"n2c3c1c1m1r1a2","sN":2,"aN":"c3c1c1m1r1a2"}'>Office for students</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://products.office.com/en-us/academic/compare-office-365-education-plans" data-m='{"cN":"Footer_Education_Office365ForSchools_nav","id":"n3c3c1c1m1r1a2","sN":3,"aN":"c3c1c1m1r1a2"}'>Office 365 for schools</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/store/b/education?icid=CNavfooter_Studentsandeducation" data-m='{"cN":"Footer_Education_DealsForStudentsandParents_nav","id":"n4c3c1c1m1r1a2","sN":4,"aN":"c3c1c1m1r1a2"}'>Deals for students &amp; parents</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://azure.microsoft.com/en-us/community/education/" data-m='{"cN":"Footer_MicrosoftAzureInEducation_nav","id":"n5c3c1c1m1r1a2","sN":5,"aN":"c3c1c1m1r1a2"}'>Microsoft Azure in education</a>
                                        </li>

                            </ul>
                            
                        </div>
                </div>
                <div class="c-uhff-nav-row">
                        <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn4_cont","cT":"Container","id":"c4c1c1m1r1a2","sN":4,"aN":"c1c1m1r1a2"}'>
                            <div class="c-heading-4" role="heading" aria-level="4">Enterprise</div>
                            <ul class="c-list f-bare">
                                        <li>
                                            <a class="c-uhff-link" href="https://azure.microsoft.com/" data-m='{"cN":"Footer_Enterprise_MicrosoftAzure_nav","id":"n1c4c1c1m1r1a2","sN":1,"aN":"c4c1c1m1r1a2"}'>Azure</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://go.microsoft.com/fwlink/?LinkID=808093" data-m='{"cN":"Footer_Enterprise_MicrosoftAppSource_nav","id":"n2c4c1c1m1r1a2","sN":2,"aN":"c4c1c1m1r1a2"}'>AppSource </a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/enterprise/automotive" data-m='{"cN":"Footer_Enterprise_Automotive_nav","id":"n3c4c1c1m1r1a2","sN":3,"aN":"c4c1c1m1r1a2"}'>Automotive</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/enterprise/government" data-m='{"cN":"Footer_Enterprise_Government_nav","id":"n4c4c1c1m1r1a2","sN":4,"aN":"c4c1c1m1r1a2"}'>Government</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/enterprise/health" data-m='{"cN":"Footer_Enterprise_Health_nav","id":"n5c4c1c1m1r1a2","sN":5,"aN":"c4c1c1m1r1a2"}'>Healthcare</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/enterprise/manufacturing" data-m='{"cN":"Footer_Enterprise_Manufacturing_nav","id":"n6c4c1c1m1r1a2","sN":6,"aN":"c4c1c1m1r1a2"}'>Manufacturing</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/enterprise/financial-services/banking-and-capital-markets" data-m='{"cN":"Footer_Enterprise_FinanciaServices_nav","id":"n7c4c1c1m1r1a2","sN":7,"aN":"c4c1c1m1r1a2"}'>Financial services</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/enterprise/retail-consumer-goods" data-m='{"cN":"Footer_Enterprise_Retail_nav","id":"n8c4c1c1m1r1a2","sN":8,"aN":"c4c1c1m1r1a2"}'>Retail</a>
                                        </li>

                            </ul>
                            
                        </div>
                        <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn5_cont","cT":"Container","id":"c5c1c1m1r1a2","sN":5,"aN":"c1c1m1r1a2"}'>
                            <div class="c-heading-4" role="heading" aria-level="4">Developer</div>
                            <ul class="c-list f-bare">
                                        <li>
                                            <a class="c-uhff-link" href="https://visualstudio.microsoft.com/" data-m='{"cN":"Footer_Developer_MicrosoftVisualStudio_nav","id":"n1c5c1c1m1r1a2","sN":1,"aN":"c5c1c1m1r1a2"}'>Microsoft Visual Studio</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://developer.microsoft.com/en-us/windows" data-m='{"cN":"Footer_Developer_WindowsDevCenter_nav","id":"n2c5c1c1m1r1a2","sN":2,"aN":"c5c1c1m1r1a2"}'>Windows Dev Center</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://developer.microsoft.com/" data-m='{"cN":"Footer_Developer_DeveloperCenter_nav","id":"n3c5c1c1m1r1a2","sN":3,"aN":"c5c1c1m1r1a2"}'>Developer Center</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://developer.microsoft.com/en-us/store/register" data-m='{"cN":"Footer_Developer_MicrosoftDeveloperProgram_nav","id":"n4c5c1c1m1r1a2","sN":4,"aN":"c5c1c1m1r1a2"}'>Microsoft developer program</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://channel9.msdn.com/" data-m='{"cN":"Footer_Developer_Channel9_nav","id":"n5c5c1c1m1r1a2","sN":5,"aN":"c5c1c1m1r1a2"}'>Channel 9</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://developer.microsoft.com/en-us/office" data-m='{"cN":"Footer_Developer_OfficeDevCenter_nav","id":"n6c5c1c1m1r1a2","sN":6,"aN":"c5c1c1m1r1a2"}'>Office Dev Center</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/garage/" data-m='{"cN":"Microsoft Garage_nav","id":"n7c5c1c1m1r1a2","sN":7,"aN":"c5c1c1m1r1a2"}'>Microsoft Garage</a>
                                        </li>

                            </ul>
                            
                        </div>
                        <div class="c-uhff-nav-group" data-m='{"cN":"footerNavColumn6_cont","cT":"Container","id":"c6c1c1m1r1a2","sN":6,"aN":"c1c1m1r1a2"}'>
                            <div class="c-heading-4" role="heading" aria-level="4">Company</div>
                            <ul class="c-list f-bare">
                                        <li>
                                            <a class="c-uhff-link" href="https://careers.microsoft.com/" data-m='{"cN":"Footer_Company_Careers_nav","id":"n1c6c1c1m1r1a2","sN":1,"aN":"c6c1c1m1r1a2"}'>Careers</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/about" data-m='{"cN":"Footer_Company_AboutMicrosoft_nav","id":"n2c6c1c1m1r1a2","sN":2,"aN":"c6c1c1m1r1a2"}'>About Microsoft</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://news.microsoft.com/" data-m='{"cN":"Footer_Company_CompanyNews_nav","id":"n3c6c1c1m1r1a2","sN":3,"aN":"c6c1c1m1r1a2"}'>Company news</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://privacy.microsoft.com/en-us" data-m='{"cN":"Footer_Company_PrivacyAtMicrosoft_nav","id":"n4c6c1c1m1r1a2","sN":4,"aN":"c6c1c1m1r1a2"}'>Privacy at Microsoft</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/investor/default.aspx" data-m='{"cN":"Footer_Company_Investors_nav","id":"n5c6c1c1m1r1a2","sN":5,"aN":"c6c1c1m1r1a2"}'>Investors</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/diversity/" data-m='{"cN":"Footer_Company_DiversityAndInclusion_nav","id":"n6c6c1c1m1r1a2","sN":6,"aN":"c6c1c1m1r1a2"}'>Diversity and inclusion</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/accessibility" data-m='{"cN":"Footer_Company_Accessibility_nav","id":"n7c6c1c1m1r1a2","sN":7,"aN":"c6c1c1m1r1a2"}'>Accessibility</a>
                                        </li>
                                        <li>
                                            <a class="c-uhff-link" href="https://www.microsoft.com/en-us/security/default.aspx" data-m='{"cN":"Footer_Company_Security_nav","id":"n8c6c1c1m1r1a2","sN":8,"aN":"c6c1c1m1r1a2"}'>Security</a>
                                        </li>

                            </ul>
                            
                        </div>
                </div>
        </nav>
    <div class="c-uhff-base">
                <a id="locale-picker-link" aria-label="Content Language Selector. Currently set to English (United States)" class="c-uhff-link c-uhff-lang-selector c-glyph glyph-world" href="https://www.microsoft.com/en-us/security/locale" data-m='{"cN":"locale_picker(US)_nav","id":"n7c1c1m1r1a2","sN":7,"aN":"c1c1m1r1a2"}'>English (United States)</a>

        <nav aria-label="Microsoft corporate links">
            <ul class="c-list f-bare" data-m='{"cN":"Corp links_cont","cT":"Container","id":"c8c1c1m1r1a2","sN":8,"aN":"c1c1m1r1a2"}'>
                                <li  id="c-uhff-footer_sitemap">
                    <a class="c-uhff-link" href="https://www.microsoft.com/en-us/sitemap1.aspx" data-mscc-ic="false" data-m='{"cN":"Footer_Sitemap_nav","id":"n1c8c1c1m1r1a2","sN":1,"aN":"c8c1c1m1r1a2"}'>Sitemap</a>
                </li>
                <li  id="c-uhff-footer_contactus">
                    <a class="c-uhff-link" href="https://support.microsoft.com/en-us/contactus" data-mscc-ic="false" data-m='{"cN":"Footer_ContactUs_nav","id":"n2c8c1c1m1r1a2","sN":2,"aN":"c8c1c1m1r1a2"}'>Contact Microsoft</a>
                </li>
                <li  id="c-uhff-footer_privacyandcookies">
                    <a class="c-uhff-link" href="https://go.microsoft.com/fwlink/?LinkId=521839" data-mscc-ic="false" data-m='{"cN":"Footer_PrivacyandCookies_nav","id":"n3c8c1c1m1r1a2","sN":3,"aN":"c8c1c1m1r1a2"}'>Privacy </a>
                </li>
                <li class=" x-hidden" id="c-uhff-footer_managecookies">
                    <a class="c-uhff-link" href="#" data-mscc-ic="false" data-m='{"cN":"Footer_ManageCookies_nav","id":"n4c8c1c1m1r1a2","sN":4,"aN":"c8c1c1m1r1a2"}'>Manage cookies</a>
                </li>
                <li  id="c-uhff-footer_termsofuse">
                    <a class="c-uhff-link" href="https://go.microsoft.com/fwlink/?LinkID=206977" data-mscc-ic="false" data-m='{"cN":"Footer_TermsOfUse_nav","id":"n5c8c1c1m1r1a2","sN":5,"aN":"c8c1c1m1r1a2"}'>Terms of use</a>
                </li>
                <li  id="c-uhff-footer_trademarks">
                    <a class="c-uhff-link" href="https://www.microsoft.com/trademarks" data-mscc-ic="false" data-m='{"cN":"Footer_Trademarks_nav","id":"n6c8c1c1m1r1a2","sN":6,"aN":"c8c1c1m1r1a2"}'>Trademarks</a>
                </li>
                <li  id="c-uhff-footer_safetyandeco">
                    <a class="c-uhff-link" href="https://www.microsoft.com/en-us/devices/safety-and-eco " data-mscc-ic="false" data-m='{"cN":"Footer_SafetyAndEco_nav","id":"n7c8c1c1m1r1a2","sN":7,"aN":"c8c1c1m1r1a2"}'>Safety &amp; eco</a>
                </li>
                <li  id="c-uhff-footer_aboutourads">
                    <a class="c-uhff-link" href="https://choice.microsoft.com" data-mscc-ic="false" data-m='{"cN":"Footer_AboutourAds_nav","id":"n8c8c1c1m1r1a2","sN":8,"aN":"c8c1c1m1r1a2"}'>About our ads</a>
                </li>

                <li>&#169; Microsoft 2020</li>
                
            </ul>
        </nav>
    </div>
    
</footer>




    </div>
        </div>

    </div>		<!-- end universal footer -->

</div><!-- #page -->
	<script>
		function onConsentChanged( categoryPreferences ) {
			dropAnalyticsCookies();
			dropAdvertisingCookies();
			dropSocialMediaCookies();
		}

		function dropAnalyticsCookies(){
			if ( siteConsent.getConsentFor( WcpConsent.consentCategories.Analytics ) ) {
								console.log( 'analytics cookies dropped' );

				if ( siteConsent.getConsentFor( WcpConsent.consentCategories.Advertising ) ) {
										console.log( 'dual_ad_analytics cookies dropped' );

					if ( siteConsent.getConsentFor( WcpConsent.consentCategories.SocialMedia ) ) {
													if ( typeof linkedinTracking === "function" ) { 
								linkedinTracking(); 
							}
													if ( typeof gdcTracking === "function" ) { 
								gdcTracking(); 
							}
												console.log( 'all categories cookies dropped' );
					}
				}

				if ( siteConsent.getConsentFor( WcpConsent.consentCategories.SocialMedia ) ) {
										console.log( 'dual_analytics_social cookies dropped' );
				}
			}
		}

		function dropAdvertisingCookies(){
			if ( siteConsent.getConsentFor( WcpConsent.consentCategories.Advertising ) ) {
								console.log( 'advertising cookies dropped' );

				if ( siteConsent.getConsentFor( WcpConsent.consentCategories.SocialMedia ) ) {
										console.log( 'dual_ad_social cookies dropped' );
				}
			}
		}

		function dropSocialMediaCookies(){
			if ( siteConsent.getConsentFor( WcpConsent.consentCategories.SocialMedia ) ) {
								console.log( 'social cookies dropped' );
			}
		}

		WcpConsent.init( "en-US", "ms-cookie-banner", function ( err, _siteConsent ) {
			if (err != undefined) {
				return error;
			} else {
				siteConsent = _siteConsent;
				dropAdvertisingCookies();
				dropAnalyticsCookies();
				dropSocialMediaCookies();
			}
		}, onConsentChanged);
	</script>
	<script type="text/javascript">var addthis_config = { 'data_track_addressbar' : false };</script>		<script type="text/javascript">

			const interval = setInterval(function() {
				$('.mectrl_profilepic').parent().parent().parent().parent().remove();
			}, 100);

			const check_interval = setInterval(function() {
				if( 0 === $('.mectrl_profilepic').length ) {
					clearInterval( interval );
					clearInterval( check_interval );
				}
			}, 5000);

		</script>
	<script type='text/javascript'>
/* <![CDATA[ */
var microsoftUhfSettings = {"loginUrl":"","logoutUrl":""};
/* ]]> */
</script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/plugins/microsoft-uhf/assets/microsoft-uhf.js?ver=0.2.0'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var WDSMS_SearchWP = {"formAction":"https:\/\/www.microsoft.com\/security\/blog"};
/* ]]> */
</script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/plugins/wds-ms-searchwp/features/uhf-search-ui/uhf-search-ui.js?ver=1.0.1'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/themes/ms-security/assets/bower_components/modernizer/modernizr.js?ver=2.8.2'></script>
<script type='text/javascript' src='//assets.onestore.ms/cdnfiles/external/mwf/short/v1/latest/scripts/mwf-auto-init-main.var.min.js?ver=v1.23.2+5182151'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/themes/ms-security/assets/bower_components/picturefill/dist/picturefill.min.js?ver=3.0.3'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/imagesloaded.min.js?ver=3.2.0'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/masonry.min.js?ver=3.3.2'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-content/themes/ms-security/assets/scripts/project.min.js?ver=1.0.1'></script>
<script type='text/javascript' src='https://www.microsoft.com/security/blog/wp-includes/js/wp-embed.min.js?ver=5.4.2'></script>
<script src="https://www.microsoft.com/onerfstatics/marketingsites-eus-prod/shell/_scrf/js/themes=default/54-af9f9f/c0-247156/de-099401/e1-a50eee/e7-954872/d8-97d509/f0-251fe2/46-be1318/77-04a268/11-240c7b/63-077520/a4-34de62/bb-d7480b/db-bc0148/dc-7e9864/6d-c07ea1/29-1ec5a9/23-c64e70/cd-23d3b0/6d-1e7ed0/b7-cadaa7/c4-898cf2/ca-40b7b0/4e-ee3a55/3e-f5c39b/c3-6454d7/f9-7592d3/92-10345d/79-499886/7e-cda2d3/b2-7087f0/e5-08f1c0/e0-3c9860/91-97a04f/1f-100dea/33-abe4df/50-f1e180?ver=2.0&iife=1"></script><script src="https://mem.gfx.ms/meversion?partner=MSSecurity&market=en-us&uhf=1" defer></script><svg xmlns="http://www.w3.org/2000/svg" style="display:none"><symbol id="icon-bars" viewBox="0 0 24 28"><path d="M24 21v2q0 .406-.297.703T23 24H1q-.406 0-.703-.297T0 23v-2q0-.406.297-.703T1 20h22q.406 0 .703.297T24 21zm0-8v2q0 .406-.297.703T23 16H1q-.406 0-.703-.297T0 15v-2q0-.406.297-.703T1 12h22q.406 0 .703.297T24 13zm0-8v2q0 .406-.297.703T23 8H1q-.406 0-.703-.297T0 7V5q0-.406.297-.703T1 4h22q.406 0 .703.297T24 5z"/></symbol><symbol id="icon-close" viewBox="0 0 22 28"><path d="M20.281 20.656q0 .625-.438 1.062l-2.125 2.125q-.438.438-1.062.438t-1.062-.438L11 19.249l-4.594 4.594q-.438.438-1.062.438t-1.062-.438l-2.125-2.125q-.438-.438-.438-1.062t.438-1.062L6.751 15l-4.594-4.594q-.438-.438-.438-1.062t.438-1.062l2.125-2.125q.438-.438 1.062-.438t1.062.438L11 10.751l4.594-4.594q.438-.438 1.062-.438t1.062.438l2.125 2.125q.438.438.438 1.062t-.438 1.062L15.249 15l4.594 4.594q.438.438.438 1.062z"/></symbol><symbol id="icon-facebook-square" viewBox="0 0 24 28"><path d="M19.5 2q1.859 0 3.18 1.32T24 6.5v15q0 1.859-1.32 3.18T19.5 26h-2.938v-9.297h3.109l.469-3.625h-3.578v-2.312q0-.875.367-1.313t1.43-.438l1.906-.016V5.765q-.984-.141-2.781-.141-2.125 0-3.398 1.25t-1.273 3.531v2.672H9.688v3.625h3.125v9.297H4.5q-1.859 0-3.18-1.32T0 21.499v-15q0-1.859 1.32-3.18t3.18-1.32h15z"/></symbol><symbol id="icon-facebook" viewBox="0 0 32 32"><path d="M19 6h5V0h-5c-3.86 0-7 3.14-7 7v3H8v6h4v16h6V16h5l1-6h-6V7c0-.542.458-1 1-1z"/></symbol><symbol id="icon-instagram" viewBox="0 0 32 32"><path d="M16 2.881c4.275 0 4.781.019 6.462.094 1.563.069 2.406.331 2.969.55a4.952 4.952 0 0 1 1.837 1.194 5.015 5.015 0 0 1 1.2 1.838c.219.563.481 1.412.55 2.969.075 1.688.094 2.194.094 6.463s-.019 4.781-.094 6.463c-.069 1.563-.331 2.406-.55 2.969a4.94 4.94 0 0 1-1.194 1.837 5.02 5.02 0 0 1-1.837 1.2c-.563.219-1.413.481-2.969.55-1.688.075-2.194.094-6.463.094s-4.781-.019-6.463-.094c-1.563-.069-2.406-.331-2.969-.55a4.952 4.952 0 0 1-1.838-1.194 5.02 5.02 0 0 1-1.2-1.837c-.219-.563-.481-1.413-.55-2.969-.075-1.688-.094-2.194-.094-6.463s.019-4.781.094-6.463c.069-1.563.331-2.406.55-2.969a4.964 4.964 0 0 1 1.194-1.838 5.015 5.015 0 0 1 1.838-1.2c.563-.219 1.412-.481 2.969-.55 1.681-.075 2.188-.094 6.463-.094zM16 0c-4.344 0-4.887.019-6.594.094-1.7.075-2.869.35-3.881.744-1.056.412-1.95.956-2.837 1.85a7.833 7.833 0 0 0-1.85 2.831C.444 6.538.169 7.7.094 9.4.019 11.113 0 11.656 0 16s.019 4.887.094 6.594c.075 1.7.35 2.869.744 3.881.413 1.056.956 1.95 1.85 2.837a7.82 7.82 0 0 0 2.831 1.844c1.019.394 2.181.669 3.881.744 1.706.075 2.25.094 6.594.094s4.888-.019 6.594-.094c1.7-.075 2.869-.35 3.881-.744 1.05-.406 1.944-.956 2.831-1.844s1.438-1.781 1.844-2.831c.394-1.019.669-2.181.744-3.881.075-1.706.094-2.25.094-6.594s-.019-4.887-.094-6.594c-.075-1.7-.35-2.869-.744-3.881a7.506 7.506 0 0 0-1.831-2.844A7.82 7.82 0 0 0 26.482.843C25.463.449 24.301.174 22.601.099c-1.712-.081-2.256-.1-6.6-.1z"/><path d="M16 7.781c-4.537 0-8.219 3.681-8.219 8.219s3.681 8.219 8.219 8.219 8.219-3.681 8.219-8.219A8.221 8.221 0 0 0 16 7.781zm0 13.55a5.331 5.331 0 1 1 0-10.663 5.331 5.331 0 0 1 0 10.663zM26.462 7.456a1.919 1.919 0 1 1-3.838 0 1.919 1.919 0 0 1 3.838 0z"/></symbol><symbol id="icon-linkedin-square" viewBox="0 0 24 28"><path d="M3.703 22.094h3.609V11.25H3.703v10.844zM7.547 7.906q-.016-.812-.562-1.344t-1.453-.531-1.477.531-.57 1.344q0 .797.555 1.336t1.445.539h.016q.922 0 1.484-.539t.562-1.336zm9.141 14.188h3.609v-6.219q0-2.406-1.141-3.641T16.14 11q-2.125 0-3.266 1.828h.031V11.25H9.296q.047 1.031 0 10.844h3.609v-6.062q0-.594.109-.875.234-.547.703-.93t1.156-.383q1.813 0 1.813 2.453v5.797zM24 6.5v15q0 1.859-1.32 3.18T19.5 26h-15q-1.859 0-3.18-1.32T0 21.5v-15q0-1.859 1.32-3.18T4.5 2h15q1.859 0 3.18 1.32T24 6.5z"/></symbol><symbol id="icon-linkedin" viewBox="0 0 32 32"><path d="M12 12h5.535v2.837h.079c.77-1.381 2.655-2.837 5.464-2.837C28.92 12 30 15.637 30 20.367V30h-5.769v-8.54c0-2.037-.042-4.657-3.001-4.657-3.005 0-3.463 2.218-3.463 4.509V30H12V12zM2 12h6v18H2V12zM8 7a3 3 0 1 1-6 0 3 3 0 0 1 6 0z"/></symbol><symbol id="icon-nav-arrow" viewBox="0 0 11 8"><style>.st0{fill:none;stroke:#2f2f2f;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10}</style><path d="M.7 1.3l4.8 5.4 4.8-5.4"/></symbol><symbol id="icon-twitter-square" viewBox="0 0 24 28"><path d="M20 9.531q-.875.391-1.891.531 1.062-.625 1.453-1.828-1.016.594-2.094.797Q16.515 8 15.077 8q-1.359 0-2.32.961t-.961 2.32q0 .453.078.75-2.016-.109-3.781-1.016t-3-2.422q-.453.781-.453 1.656 0 1.781 1.422 2.734-.734-.016-1.563-.406v.031q0 1.172.781 2.086t1.922 1.133q-.453.125-.797.125-.203 0-.609-.063.328.984 1.164 1.625t1.898.656q-1.813 1.406-4.078 1.406-.406 0-.781-.047 2.312 1.469 5.031 1.469 1.75 0 3.281-.555t2.625-1.484 1.883-2.141 1.172-2.531.383-2.633q0-.281-.016-.422.984-.703 1.641-1.703zM24 6.5v15q0 1.859-1.32 3.18T19.5 26h-15q-1.859 0-3.18-1.32T0 21.5v-15q0-1.859 1.32-3.18T4.5 2h15q1.859 0 3.18 1.32T24 6.5z"/></symbol><symbol id="icon-twitter" viewBox="0 0 32 32"><path d="M32 7.075a12.941 12.941 0 0 1-3.769 1.031 6.601 6.601 0 0 0 2.887-3.631 13.21 13.21 0 0 1-4.169 1.594A6.565 6.565 0 0 0 22.155 4a6.563 6.563 0 0 0-6.563 6.563c0 .512.056 1.012.169 1.494A18.635 18.635 0 0 1 2.23 5.195a6.56 6.56 0 0 0-.887 3.3 6.557 6.557 0 0 0 2.919 5.463 6.565 6.565 0 0 1-2.975-.819v.081a6.565 6.565 0 0 0 5.269 6.437 6.574 6.574 0 0 1-2.968.112 6.588 6.588 0 0 0 6.131 4.563 13.17 13.17 0 0 1-9.725 2.719 18.568 18.568 0 0 0 10.069 2.95c12.075 0 18.681-10.006 18.681-18.681 0-.287-.006-.569-.019-.85A13.216 13.216 0 0 0 32 7.076z"/></symbol></svg>
</body>
</html>
